What is this amp; amp; crap

amm5061

NES Member
Rating - 100%
1   0   0
Joined
Jun 20, 2016
Messages
6,897
Likes
4,915
Location
Holliston, MA
Sometimes you'll see quot in titles, when I advertised my 7 1/2" 44mag it got "changed" to 7 1/2quot.

That's the same idea, and it has to do with html encoding text before storing it in the database. It means the code is not properly html encoding or decoding the text either before storing it in the database or upon retrieval for display. The html encoded string for " is "

It's a pretty common problem.
 

DarkNet

NES Life Member
NES Member
Rating - 100%
1   0   0
Joined
May 21, 2016
Messages
437
Likes
291
Not saying that it's being done correctly here, but most likely doing some form of it. The backend server should "sanitize" any user input before storing it. The reason for this is there is a common exploit, Cross Site Scripting (XSS), where a vulnerable system will store executable code based on user input. So for example, if you have a freeform field (could be any kind of field, eg. first name), and there is no sanitizing on the backend, the user could input executable code (really a script). Then when someone else opened that page that contained that field, the code would execute with that users permissions. So, in this case if someone put malicious code in the for sale section, and an admin or mod brought it up in their browser, then the code would execute with the admin's or mod's permission level. For example you could create code to delete the whole forum, add another "admin" user, etc.... Not sure that's (sanitizing) what's happening here, but sounds like it.

EDIT: There other exploits that also need to be sanitized for using the same backend method, for example SQL injection.
 
Last edited:
Top Bottom