Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
in Q2A Core by

As reported here there was a potential XSS vulnerability in one of my plugins. I was under the impression that the qa_lang_html functions escaped the output for display, given the name similarity to qa_html. However it appears this is not always the case, for example this:

qa_lang_html_sub('myplugin/string', '<script>alert(1)</script>');

...will output a script tag directly. Is this the intended behaviour or a bug? It feels wrong to me, given there is already qa_lang_sub for raw output - qa_lang_html_sub should be escaping the data.

Q2A version: 1.5.3
I'll also add that many of the calls to qa_lang_html_sub in the core code appear to also call qa_html, something like:
$value=qa_lang_html_sub('identifier', qa_html($content));

What would be the difference between this and calling qa_lang_sub?

1 Answer

+1 vote
selected by
Best answer

Yes, qa_lang_html_sub(...) does not HTML escape the second parameter, by design. (That's why it's not called qa_lang_sub_html!) The reason is that Q2A sometimes substitutes some HTML code into a phrase, that escaping would ruin. You can of course call qa_html(qa_lang_sub(...)) if you wish to.

OK I have updated all my plugins to escape the parameters before passing into the function.

I'm sure you can see how confusing the function names can be...