[H-14] Forum rules stored unpurified

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/ForumController.php:2185-2196

Bug: $_POST['rules'] trimmed/length-capped then stored. Rendered later via toHtml without purify().

Fix: MarkdownService::purify($rules) before write.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:37pm

Resolved.

ForumController::saveRules now runs the raw rules text through MarkdownService::purify() before writing to forums.rules (src/Controllers/ForumController.php). A forum mod can no longer persist <script> / <iframe> / on*= attributes into the DB.

Render-time rendering in splitRules() already passes each block through toHtml() which itself purifies; this change adds defence in depth at write time so the stored value is always safe regardless of the render path.

Locking this thread.

Related Discussions

New-user onboarding: pick retro platforms, auto-subscribe to those forums
Important Alerts · 0 replies · 0 views
Forum thread rows: show last-reply time next to created date
Important Alerts · 0 replies · 2 views
Added composite indexes on forum_posts, file_uploads, messages
Important Alerts · 0 replies · 1 views
[forum.post_purged] Purged post #151 in thread #163
Admin System Log Files · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #163: New Features: SID Music Player & Expanded Disk Image Support
Admin System Log Files · 0 replies · 3 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy