XMB Forum Software - [Resolved] HTTPS links don't work on avatar URL input

[Resolved] HTTPS links don't work on avatar URL input

Scarlet - 9-16-2017 at 08:34 AM

Full Board URL: http://scarlet-town.port0.org/
XMB Version: 1.9.11

Hi,

I've noticed this issue since the 1.9.11.14 upgrade (I think) and it seems to also be happening with 1.9.12 beta - which is what I'm using at the moment - so Xian might be able to aid with this

I think I have found a bug in which the URL input for the avatar field doesn't work with https:// URLs. The image I am linking is https://img.animebracket.com/1kal.jpg if that helps.

Could anyone look into the problem? Thank you and I am happy to use XMB ^^

Xian - 9-16-2017 at 02:20 PM

Hi. To fix this:

1. Open ./js/header.js

2. Around line 77 find:

if (input.value.substring(0, 7) == 'http://' || input.value.substring(0, 6) == 'ftp://') {

3. Replace with:

if (input.value.substring(0, 7) == 'http://' || input.value.substring(0, 8) == 'https://' || input.value.substring(0, 6) == 'ftp://') {

4. Save and reset your browser cache.

Let me know how it goes.

Scarlet - 9-16-2017 at 02:30 PM

The check is fixed but now it doesn't want to save avatar...

Edit: Fixed it myself: on memcp.php, change the line:

if (preg_match('#^(http|ftp)://[:a-z\\./_\-0-9%~]+(\?[a-z=0-9&_\-;~]*)?$#Smi', $rawavatar) == 0) {

to

if (preg_match('#^(http|ftp|https)://[:a-z\\./_\-0-9%~]+(\?[a-z=0-9&_\-;~]*)?$#Smi', $rawavatar) == 0) {\

--
Thanks!

Xian - 9-16-2017 at 03:00 PM

I knew I forgot something... :lol:

Xian - 9-16-2017 at 03:10 PM

This fix has been applied to the downloadable file here: http://forums.xmbforum2.com/viewthread.php?tid=776996

Scarlet - 9-16-2017 at 03:14 PM

Cool, and don't worry about not remembering mate, we're all sometimes forgetful, it's human nature :3

Also, could somebody put this into resolved support or just mark it as resolved :3

miqrogroove - 12-20-2017 at 08:16 PM

This looks good. I will collect some notes here since it has its own thread already.

The header.js and memcp.php changes look appropriate and will be merged to trunk with some extra style changes.

lottos marked this bug as found in v1.9.11.13. Most bugs are much older than this, but in this case the PCRE call was completely missing in v1.9.8 which only blacklisted the word "javascript". This "bug" was actually part of a security improvement that I've traced back to changes in the original v1.9.11 betas.

All other details will be in the bug tracker. Enjoy.