fix(profile): store profile descriptions raw to stop double-escaping (#273)

This commit is contained in:
Ferywir
2026-06-24 05:51:24 +02:00
committed by GitHub
parent c0bbf2bfbe
commit d0479a55ce
2 changed files with 15 additions and 15 deletions
+8 -12
View File
@@ -65,25 +65,21 @@ $email = $database->escape($email);
$tribe = max(1, min(5, (int)($_POST['tribe'] ?? 1)));
// BUG-3: store location/descriptions raw. escape() keeps the interpolated UPDATE
// SQL-safe and strip_tags() drops markup; every display site (player.tpl,
// playerinfo.tpl, editUser.tpl) escapes with htmlspecialchars(), so the extra
// RemoveXSS() here only double-escaped the stored value (literal " entities).
$location_raw = trim($_POST['location'] ?? '');
$location = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($location_raw), 0, 50))
);
$location = $database->escape(mb_substr(strip_tags($location_raw), 0, 50));
$desc1_raw = $_POST['desc1'] ?? '';
$desc1 = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000))
);
$desc1 = $database->escape(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000));
$desc2_raw = $_POST['desc2'] ?? '';
$desc2 = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000))
);
$desc2 = $database->escape(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000));
$quest_raw = trim($_POST['quest'] ?? '');
$quest = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($quest_raw), 0, 200))
);
$quest = $database->escape(mb_substr(strip_tags($quest_raw), 0, 200));
// ---------------------------------------------------------------------------
// Update