fix: special chars in subscriptions

[ellite]

No description provided.

[ouuan]

#105 double-escaped the inputs, which caused #266. This PR removed htmlentities and added htmlspecialchars_decode at the same time, so #105 is effectively gone. Now it's vulnerable to XSS again. Fortunately, the XSS is only a self-XSS, as the injected data can only be retrieved by the same user, so it has very limited impacts.

However, now the HTML escaping in Wallos is in a mess. They are at least bugs if not vulnerabilities. To name a few:

• subscription/get.php and subscriptions/get.php use htmlspecialchars_decode
• index.php does not
• calendar.php uses an extra htmlspecialchars
• registration.php and adduser.php use an extra htmlentities.

[ouuan]

By the way, it's usually better to escape data when displaying them instead of when saving them to the database. Then you won't ever need htmlspecialchars_decode and you can be sure that the data is escaped no matter what is stored in the database.

[ellite]

Hi @ouuan , thank you for the report.
Can you please give me a string that would trigger the XSS issue? I can't replicate it.
Regards.

[ouuan]

Can you please give me a string that would trigger the XSS issue? I can't replicate it.

<img src="" onerror="alert(1)"> or "><img src="" onerror="alert(2)

[ellite]

Thanks. That one works.

[ellite]

2.29.2 released with a fix.
But I still need to cleanup a bit.