-
If you enjoy the forum please consider supporting it by signing up for a NES Membership The benefits pay for the membership many times over.
What is this amp; amp; crap
- Thread starter paracarry
- Start date
Knob Creek
NES Member
No idea. I think somehow if you use a character like #%+# is displays as "amp"
amm5061
NES Member
That's the same idea, and it has to do with html encoding text before storing it in the database. It means the code is not properly html encoding or decoding the text either before storing it in the database or upon retrieval for display. The html encoded string for " is "
It's a pretty common problem.
Golddiggie
NES Member
Not saying that it's being done correctly here, but most likely doing some form of it. The backend server should "sanitize" any user input before storing it. The reason for this is there is a common exploit, Cross Site Scripting (XSS), where a vulnerable system will store executable code based on user input. So for example, if you have a freeform field (could be any kind of field, eg. first name), and there is no sanitizing on the backend, the user could input executable code (really a script). Then when someone else opened that page that contained that field, the code would execute with that users permissions. So, in this case if someone put malicious code in the for sale section, and an admin or mod brought it up in their browser, then the code would execute with the admin's or mod's permission level. For example you could create code to delete the whole forum, add another "admin" user, etc.... Not sure that's (sanitizing) what's happening here, but sounds like it.
EDIT: There other exploits that also need to be sanitized for using the same backend method, for example SQL injection.
EDIT: There other exploits that also need to be sanitized for using the same backend method, for example SQL injection.
Last edited:
