One of our members who is an experienced coder brought up this issue, caused by improper encoding. Is this a known issue? Fix?
===========================================================
It's a bug in the forum software. For search engine optimization, it puts the thread title in the URL, but... it's not encoding the special characters properly like it should.
It's a common mistake in web applications, and the consequences range from minor inconvenience (things don't work quite right) to major security vulnerabilities such as cross-site scripting. The latter can allow an attacker to hijack the login sessions of other users - or administrators.
There i s a bug in the forum software which causes problems with topics whose subject lines contain certain types of punctuation (quotes, ampersands, percent signs, etc). Usually the effect is to prevent it from jumping to the latest unread message after clicking on a topic. Sometimes it prevents accessing the topic altogether (Rickster reports that percent signs tend to do this.)
The problem is the software is not properly encoding/removing special characters from the subject when constructing SEO-friendly URLs on the topic list page. This type of bug is also the cause of a common and serious security vulnerability (cross site scripting, also known as "XSS") which can result in unauthorized access to other users' and administrators' accounts.
To see an example thread with this problem, look at the Piano Forum for the topic t itled 'My impressions of "Piano Row" in NYC (Faust, Allegro, Klav)' which has quotation marks in the subject line.
If you view the HTML of the topic list on the Piano Forum, you will see this:
Code:
<a href="/forum/ubbthreads.php/topics/2091873/My impressions of "Piano Row" .html#Post2091873">
Notice there are several problems with the URL. The quotation marks are not encoded, and the URL includes spaces. I looked around at a few other UBB.threads forums on the web, and those which have SEO-friendly URLs enabled typically would encode the URL like this:
Code:
<a href="/forum/ubbthreads.php/topics/2091873/My_impressions_of_Piano_Row_in.html#Post2091873">
Two example UBB.threads forums which encode correctly:
http://www.guitars.co.uk/forum/ubbthreads.php/forums/1/1/Electric_Guitar_Forum (version 7.5.7)
http://www.24hourcampfire.com/ubbthreads/ubbthreads.php/forums/21/1/Hunter_s_Campfire (version 7.5.3p2)
What puzzles me is one of the above forums is on an older version, and the other is newer. That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code, whereas these other forums use the built-in UBB.threads feature?
Anyway, I thought I'd report the bug because of the possible security implications. The above should be enough information to file a bug report or support request with whomever handles systems administration.
If there's any way I can help further, just send me a message.
Andy Skalski
=================================================
Thanks for any help,
Frank Baxter
Piano World
www.pianoworld.com/forum
