Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

downgrade random_bytes() for PHP 5.6 #1423

Closed
wants to merge 1 commit into from
Closed

downgrade random_bytes() for PHP 5.6 #1423

wants to merge 1 commit into from

Conversation

mambax7
Copy link
Collaborator

@mambax7 mambax7 commented Nov 20, 2023

ggoffy
ggoffy reviewed Nov 29, 2023
View reviewed changes
htdocs/xoops_lib/modules/protector/filters_disabled/postcommon_register_insert_js_check.php

// JavaScript to assign the generated token to a hidden input field
$js_in_validate_function = "
xoopsGetElementById('antispam_md5').value = '$secureToken';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why
xoopsGetElementById('antispam_md5').value = '$secureToken';
and not
xoopsGetElementById('antispam_md5').value = $secureToken;

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using quotation marks ensures that the code is treated as a single string literal, preventing unintended concatenation. This allows the $secureToken variable's value to be properly inserted into the string, resulting in valid JavaScript code that can be executed.

  1. With Single Quotes ('$secureToken'): This method ensures that the value of $secureToken is treated as a string in JavaScript. When PHP processes this code, it replaces $secureToken with its value, and the single quotes are retained in the output JavaScript code. This is important if $secureToken is expected to be a string, which is often the case for tokens.

  2. Without Quotes ($secureToken): If you omit the quotes, PHP will still replace $secureToken with its value, but there will be no quotes around this value in the resulting JavaScript code. This can lead to issues if the token is a string that contains characters which could be interpreted as code, potentially causing syntax errors or unintended behavior in JavaScript.

In the context of a token, which is typically a string of alphanumeric characters, you would want to use single quotes to ensure that it is correctly interpreted as a string literal in JavaScript. Not using quotes could potentially lead to JavaScript errors if the token contains characters that JavaScript interprets in a different way (like spaces, or characters like {, }, [, ], etc.).

So, the recommended approach is:

$js_in_validate_function = "
    xoopsGetElementById('antispam_md5').value = '$secureToken';

This ensures that the token is safely and correctly embedded as a string in the JavaScript code.

@ggoffy ggoffy self-requested a review December 2, 2023 15:11
@geekwright
Copy link
Contributor

No longer needed.

@geekwright geekwright closed this Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ggoffy ggoffy ggoffy approved these changes

@geekwright geekwright Awaiting requested review from geekwright

@GregMage GregMage Awaiting requested review from GregMage

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mambax7 @geekwright @ggoffy