Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
Ask a Question

Clarification of qa_html vs qa_lang_html

+1 vote
1.2k views
in Q2A Core by

As reported here there was a potential XSS vulnerability in one of my plugins. I was under the impression that the qa_lang_html functions escaped the output for display, given the name similarity to qa_html. However it appears this is not always the case, for example this:

qa_lang_html_sub('myplugin/string', '<script>alert(1)</script>');

...will output a script tag directly. Is this the intended behaviour or a bug? It feels wrong to me, given there is already qa_lang_sub for raw output - qa_lang_html_sub should be escaping the data.

Q2A version: 1.5.3
by
I'll also add that many of the calls to qa_lang_html_sub in the core code appear to also call qa_html, something like:
$value=qa_lang_html_sub('identifier', qa_html($content));

What would be the difference between this and calling qa_lang_sub?

1 Answer

+1 vote
by
selected by
 
Best answer

Yes, qa_lang_html_sub(...) does not HTML escape the second parameter, by design. (That's why it's not called qa_lang_sub_html!) The reason is that Q2A sometimes substitutes some HTML code into a phrase, that escaping would ruin. You can of course call qa_html(qa_lang_sub(...)) if you wish to.

by
OK I have updated all my plugins to escape the parameters before passing into the function.

I'm sure you can see how confusing the function names can be...
Snow Theme by Q2A Market
Powered by Question2Answer
...