Hail
I just installed this patch on my test pc,and found a issue in phpbb2 port.

EX:
When a post is written an url address without bbcode,It shows:

\
://www.computercops.biz/downloads/PHPNuke/xss_patch_100.txt

But content correct clickable link.Before patch,it show this normally:

/downloads/PHPNuke/xss_patch_100.txt

Thanks.

That's odd... this forum has the XSS exploit patch applied and it seems the link is linked correctly. I think I'm not understanding your post. Please advise... because if there is something wrong with the forums patch, I'll fix it rightaway and re-release.

Sorry,it is my mistake.><

I use the broken line,because the code is too long,so I didn't notice that.

Thanks for reply,I should now know how to fix this problem.

P.S
And sorry my poor English.

Your English is excellent, and I'm glad you're able to get the code fixed.

I had this problem too. I just discovered it today when I received a nice handful of 404 messages e-mailed my way: http://www.mysite.com/h<br%20/>ttp://www.thesitetheywerelinkingto.com

I've fixed it by making sure the code didn't break up the links & mailto parts up.

btw - thanks for the security fix

My pleasure.. is that the link that wouldn't work on your site?

No, that was just an example of how the link looked w/the added br tag & my site url before it. Someone added an url (without the http:// part) to their post..... and that is how it ended up!

It was easy to fix & all links work now.

thanks,
Andi

Great... what was your fix? I haven't seen any bugs here.

Paul, I'm just going to copy & paste segments of the relevant parts from xss_patch_100.txt that were giving me problems & what I did to fix them.

$ret = preg_replace("#([\n ])([a-z]+?)://([^\t <\"\n\r]+)#i", "\\1<a href=\"\\2://\\3\" target=\"_blank\">\
\2://\\3</a>", $ret);

You will notice in the code above that the \2... part is separated from the rest of the code. This happens 3 times, so

this segment:
"\\1<a href=\"\\2://\\3\" target=\"_blank\">\
\2://\\3</a>"

I changed to:
"\\1<a href=\"\\2://\\3\" target=\"_blank\">\\2://\\3</a>"

Also this segment further on:
"\\1<a href=\"h
ttp://www.\\2.\\3\\4\" target=\"_blank\">www.\\2.\\3\\4</a>"

I changed to:
"\\1<a href=\"http://www.\\2.\\3\\4\" target=\"_blank\">www.\\2.\\3\\4</a>"

And finally, this:
"\\1<a href=\"mailto:\\2@\
\3\">\\2@\\3</a>"

I changed to:
"\\1<a href=\"mailto:\\2@\\3\">\\2@\\3</a>"

I just made sure that all the lines of code in bbcode.php concerning "a href" weren't broken up & that has fixed it for me. Using nuke 5.5 & phpbb2 port 2.0.4.

No idea why it was causing problems for me but this is what fixed it for my board.

HTH,
Andi

Oh I see, line breaks in the code. That can be a problem when copy and pasting.

Imagine this "Breaking News" should be posted for fun... personally I disabled PM's in Nuke way back.

Nuke 5.6 contains Splatt forums for Private Messaging.

At any rate doesn't really seem like anything new to me.

Due to the nature of the phpBB2 forums, such a script won't work here.

Figured it went along with the general topic better then posting a new one.
Maybe it stirs up some interest in nuke security? They seem to be running through the Blogs and shopping carts lately.