Bug #57

Bug #54: Huge comments making all comments below it have bold font

Force-wrapped comments can overflow the maximum length of a field.

Added by Max Goldberg about 8 years ago. Updated almost 8 years ago.

Status:Closed Start date:06/01/2011
Priority:High Due date:
Assignee:Max Goldberg % Done:

0%

Category:Back-end Spent time: 3.00 hours
Target version:YTMND 2.1 Estimated time:6.00 hours

Description

The verification on the back end needs to be changed to cut text and then check for broken tags to avoid XSS and the bold issue described in bug #54.

History

#1 Updated by Prairiedogeric Ten about 8 years ago

I have also noticed that even though it might say "2000/2000 characters used", only 1922 characters are actually posted. Just one example: http://ytmnd.com/sites/959675/profile/c6066172#c6066666

Not sure if this has been addressed elsewhere, but it might be good to know.

#3 Updated by Max Goldberg about 8 years ago

The issue is due to the discrepancy between the HTMLized version, the plaintext version and what the data store can hold.

For instance, hitting enter may seem like one character but it's actually six (<br />) hence what appears to be a miscount.

I think the easiest solution to the main bug is increasing the size able to be stored by a small bit to handle the spam, and then fix any of the broken comments by hand.

#4 Updated by Max Goldberg almost 8 years ago

  • Status changed from Accepted to Resolved

Changed production data stores and hashes to hold slightly more in case someone spams and there is a full force-wrap.

I found four affected comments using the query "SELECT site_comment_id FROM site_comments WHERE comment LIKE '%<br /'":

---------------
| site_comment_id |
--------------- | 6034318 | | 6034319 | | 6034320 | | 6066504 |
---------------

(there were no news comments affected). Three of these were deleted, one was edited.

Any further comments made should fit in the data store and not cause overflow issues.

#5 Updated by Max Goldberg almost 8 years ago

  • Status changed from Resolved to In Progress

Ah, missed a lot. ('%<br ', '%<br', '%<b', '%<b'). Going to work on this a bit more.

#6 Updated by Max Goldberg almost 8 years ago

  • Status changed from In Progress to Closed

mysql> UPDATE site_comments SET comment=CONCAT WHERE comment like '%<';
Query OK, 1 row affected (5.51 sec)
Rows matched: 1 Changed: 1 Warnings: 0

mysql> UPDATE site_comments SET comment=CONCAT WHERE comment like '%<b';
Query OK, 76 rows affected (5.58 sec)
Rows matched: 76 Changed: 76 Warnings: 0

mysql> UPDATE site_comments SET comment=CONCAT WHERE comment like '%<br';
Query OK, 14 rows affected (5.43 sec)
Rows matched: 14 Changed: 14 Warnings: 0

mysql> UPDATE site_comments SET comment=CONCAT WHERE comment like '%<br ';
Query OK, 5 rows affected (5.55 sec)
Rows matched: 5 Changed: 5 Warnings: 0

mysql> UPDATE site_comments SET comment=CONCAT WHERE comment like '%<br /';
Query OK, 0 rows affected (5.45 sec)
Rows matched: 0 Changed: 0 Warnings: 0

etc.

Also available in: Atom PDF