<script> tags are not sanitized in extra question field?

Question

Just to bring this to your awareness that Q2A does not sanitize the extra field input.

<script> tags and other harmful tags may still exist in your database.

If you are trying to display the content of this extra field, for example, you want to display it on question lists, or in a widget, you may accidentally execute those scripts.

Comments

Oh, I received a flag! That's nothing but an insult. One good reason to stop posting in here.

Answer 1

Not true.

Enter for example:

<script>alert("test");</script>

Save and check the HTML created:

&lt;script&gt;alert(&quot;test&quot;);&lt;/script&gt;

Nothing to be executed.

As Scott said:

You should always escape output before displaying it anywhere on a web page. In Q2A this is done with the qa_html() function.

Comments

I'm not sure how your HTML is rendered like that. Maybe a different editor?

---

Oh, I see, you are viewing source code. This is what is displayed as a result of q_view_extra($q_view) function.

This is is not what is stored in the database. Please take a screenshot of your database table.

Answer 2

Hey q2apro, I think you are testing the default q_view_extra($q_view); function.

The default function is still safe. But if you pull the content from the databse, it's not safe.

First, look! The script is stored in database.

Second, if create a function to pull that content form the datase:

public function q_item_extra($q_item)
{
$postidz = $q_item['raw']['postid'];
$extra = qa_db_read_one_value(qa_db_query_sub(
       'SELECT content FROM ^postmetas WHERE title="qa_q_extra" AND postid=#',
        $postidz
   ), true);
 
 //$extra = $q_item['extra']['content'];
 
        $this->output('My info:'.$extra);   
   
}

Here's the result:

I hope you'll get my point.

Comments

Anyway, for those who cares or any future user who wants to customize things related to user input, you can protect yourself by using qa_sanitize_html() function. This will manually sanitize any HTML input which Q2A system skips.

$this->output('Label:'.qa_sanitize_html($variable));   

Another trick is to limit the character of that field. You can do it with PHPMyadmin to edit the property of the interested table content. Just limit the character maximum to 5 or 10 characters. No practical scripts can be that short.

Answer 3

You should always escape output before displaying it anywhere on a web page. In Q2A this is done with the qa_html() function. Core Q2A does this everywhere, as shown in your "Q2A version" input in your question.

Using qa_sanitize_html() is certainly possible in some situations, but should only be used when you are expecting to show HTML. In Q2A we use it for this WYSIWYG editor I'm typing in now, because some tags like <b> are allowed.

In a standard one line input you don't want to allow any formatting, but you may want someone to post special characters. So the original content is stored exactly as was input, this is standard practice on the web and perfectly secure, if you escape it properly on output.