Profile cover photo
Profile photo
Jukka Svahn

Post has attachment
That is pretty neat and simple. Does the href have any encoding requirements? The permlink tag doesn't necessarily generate valid URIs and it encodes output for safe HTML use (partially?), but not for URIs technically.

With the default sanitizer methods (which are pluggable), and if URL title generation is left to Textpattern, it will generate 'correct' URIs with no actual injection vulnerabilities, but nonetheless the deployed final encoding is 'wrong'.

One of the big mistakes in Textpattern's codebase is (up to 4.6-dev) the use of the wrong encoding and sanitization methods for different tasks. Which leads to annoying patching tasks, borked backwards compatibility and ultimately XSS. Freaking died out of laughter when I saw PHP's htmlspecialchars() being responsible encoding query string components and JSON values.
Wait while more posts are being loaded