Bug in "Your saved searches" for videos

    • edde42
      edde42
      Bronze
      Joined: 13.04.2011 Posts: 3
      I just tried to save a search beginning the name with "S&G...", but in the list it only showed up as "S". Seems like your not properly escaping the & sign and it is treated as a markup code such as in ©.
  • 4 replies
    • dydukas
      dydukas
      Platinum
      Joined: 01.05.2009 Posts: 1,275
      That feature doesn't work for me at all.
    • Pascal
      Pascal
      Bronze
      Joined: 11.01.2011 Posts: 875
      Hi

      you are right about the "&" I think it is not unusual that special characters are not supported but we should probably add a hint

      @dydukas
      can you be a little more specific about your problems?


      Cheers,

      Pascal
    • edde42
      edde42
      Bronze
      Joined: 13.04.2011 Posts: 3
      Originally posted by Pascalyou are right about the "&" I think it is not unusual that special characters are not supported but we should probably add a hintl
      Well, I believe you should look into it more seriously. Usually this is a sign that the form data is not filtered properly before being saved in the database. In worst case it could allow someone to use SQL injections via the forms.

      Since you are using PHP, there are several functions you can use that can be used to filter any input text to harmless strings that then can be converted back to exactly what the use wrote without any risk for it to be used to hack your application. These things are standard coding practice for any website these days. Such as it is used in this forum for example.

      Also, I don't really see the & as a special character as it is often used in many written human readable languages.

      /thomas
    • Pascal
      Pascal
      Bronze
      Joined: 11.01.2011 Posts: 875
      Hi,

      thanks again for your input
      I forwarded it to our IT guys
      who are more into possible risks than I, as a kind of IT noob, am


      Cheers,

      Pascal