phpLDAPadmin
phpLDAPadmin copied to clipboard
leenooks
Character '&' is not properly parsed when searching
Hi,
using '&' to link multiple search conditions does not seem to work. '|' e.g. works fine.
using: (&(cn=bv-team-it)(objectclass=groupOfUniqueNames)) leads to Filter performed: (&(cn=bv-team-it)(objectclass=groupOfUniqueNames))
In contrast: (|(cn=bv-team-it)(objectclass=groupOfUniqueNames)) correctly shows to Filter performed: (|(cn=bv-team-it)(objectclass=groupOfUniqueNames))
I suspect there is some place with one additional unnecassary escape.
Okay, I can indeed confirm this suspicion. If I change the preventXSS function to this:
function preventXSS($data){
return $data;
if (gettype($data) == 'array') {
foreach ($data as $key => $value) {
if (gettype($value) == 'array')
$data[$key] = preventXSS($value);
else
$data[$key] = htmlspecialchars($value);
}
return $data;
}
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
}
The filter works as expected.
I believe this also affects authentication (when using session for example) and the password contains the "&" character (it gets converted to "& amp;" and the user can never authenticate).
I can confirm this. My preventXSS-function already looks like the one @ClundXIII posted (I didn't change it, stock 1.2.5 file) - but the problem is there anyway.
I can confirm this. My
preventXSS-function already looks like the one @ClundXIII posted (I didn't change it, stock 1.2.5 file) - but the problem is there anyway.
There is a return $data; at the beginning which is NOT stock.
Btw I highly reccommed NOT to run this on a productive Site. Maybe activate it for testing and then deactivate the workaround once you are done.
Oh, I did totally miss that. Thanks for the clarification! So yeah, without the XSS-preventing stuff it works.
According to this comment on Stackoverflow "htmlspecialchars [should only be used] in the HTML output, never anywhere else". But the latter seems to be the case here (though I did no research in the code yet).
