From d0479a55ced812b6e38c89eafcc86852c608b195 Mon Sep 17 00:00:00 2001 From: Ferywir <65760459+Ferywir@users.noreply.github.com> Date: Wed, 24 Jun 2026 05:51:24 +0200 Subject: [PATCH] fix(profile): store profile descriptions raw to stop double-escaping (#273) --- GameEngine/Admin/Mods/editUser.php | 20 ++++++++------------ GameEngine/Profile.php | 10 +++++++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/GameEngine/Admin/Mods/editUser.php b/GameEngine/Admin/Mods/editUser.php index a79ee923..5c74bd96 100755 --- a/GameEngine/Admin/Mods/editUser.php +++ b/GameEngine/Admin/Mods/editUser.php @@ -65,25 +65,21 @@ $email = $database->escape($email); $tribe = max(1, min(5, (int)($_POST['tribe'] ?? 1))); +// BUG-3: store location/descriptions raw. escape() keeps the interpolated UPDATE +// SQL-safe and strip_tags() drops markup; every display site (player.tpl, +// playerinfo.tpl, editUser.tpl) escapes with htmlspecialchars(), so the extra +// RemoveXSS() here only double-escaped the stored value (literal " entities). $location_raw = trim($_POST['location'] ?? ''); -$location = $database->escape( - $database->RemoveXSS(mb_substr(strip_tags($location_raw), 0, 50)) -); +$location = $database->escape(mb_substr(strip_tags($location_raw), 0, 50)); $desc1_raw = $_POST['desc1'] ?? ''; -$desc1 = $database->escape( - $database->RemoveXSS(mb_substr(strip_tags($desc1_raw, '
'), 0, 5000)) -); +$desc1 = $database->escape(mb_substr(strip_tags($desc1_raw, '
'), 0, 5000)); $desc2_raw = $_POST['desc2'] ?? ''; -$desc2 = $database->escape( - $database->RemoveXSS(mb_substr(strip_tags($desc2_raw, '
'), 0, 5000)) -); +$desc2 = $database->escape(mb_substr(strip_tags($desc2_raw, '
'), 0, 5000)); $quest_raw = trim($_POST['quest'] ?? ''); -$quest = $database->escape( - $database->RemoveXSS(mb_substr(strip_tags($quest_raw), 0, 200)) -); +$quest = $database->escape(mb_substr(strip_tags($quest_raw), 0, 200)); // --------------------------------------------------------------------------- // Update diff --git a/GameEngine/Profile.php b/GameEngine/Profile.php index 84dbd5a5..9822b667 100755 --- a/GameEngine/Profile.php +++ b/GameEngine/Profile.php @@ -219,9 +219,13 @@ class Profile { $birthday = preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $birthday) ? $birthday : '0'; $mw = (int)($post['mw'] ?? 0); - $ort = $database->RemoveXSS(trim($post['ort'] ?? '')); - $be1 = $database->RemoveXSS(trim($post['be1'] ?? '')); // right description - $be2 = $database->RemoveXSS(trim($post['be2'] ?? '')); // left description + // BUG-3: store the location/descriptions raw. submitProfile() uses a prepared + // statement (SQL-safe) and every display site escapes with htmlspecialchars() + // before rendering BBCode, so RemoveXSS() here only double-escaped the data + // (baked-in backslashes from its SQL escape + literal " entities). + $ort = trim($post['ort'] ?? ''); + $be1 = trim($post['be1'] ?? ''); // right description + $be2 = trim($post['be2'] ?? ''); // left description $database->submitProfile($session->uid, $mw, $ort, $birthday, $be2, $be1);