Fix validation in AboutMeOptionType

The validation method previously checked the original input, not the processed
input. This possibly allowed the user to hide words from the Censorship,
because the HTMLPurifier removes elements, resulting in a semantic change. For
example: `Bad<script></script>word` will be `Badword` after purification.

For the length validation this might result in outputs exceeding the hard 65535
character limit (which is also the maximum configurable length in the user
group option).

This is fixed by checking:

1. The text content against the user group option as done everywhere.
2. The text content against the censorship as done everywhere.
3. The HTML content against the hard limit.

diff --git a/wcfsetup/install/files/lib/system/option/AboutMeOptionType.class.php b/wcfsetup/install/files/lib/system/option/AboutMeOptionType.class.php
index 35dc117167954449e6b56123618f1c6b69339b30..01f9c4fe1f7169b14fd14cff8ea768b5445bb5f0 100644 (file)
--- a/wcfsetup/install/files/lib/system/option/AboutMeOptionType.class.php
+++ b/wcfsetup/install/files/lib/system/option/AboutMeOptionType.class.php
@@ -24,11 +24,19 @@ class AboutMeOptionType extends MessageOptionType
     {
         parent::validate($option, $newValue);
 
-        if (WCF::getSession()->getPermission('user.profile.aboutMeMaxLength') < \mb_strlen($newValue)) {
+        $htmlContent = $this->htmlInputProcessor->getHtml();
+        $textContent = $this->htmlInputProcessor->getTextContent();
+
+        if (\mb_strlen($textContent) > WCF::getSession()->getPermission('user.profile.aboutMeMaxLength')) {
+            throw new UserInputException($option->optionName, 'tooLong');
+        }
+
+        // There is a hardlimit in the database column size.
+        if (\mb_strlen($htmlContent) > 65535) {
             throw new UserInputException($option->optionName, 'tooLong');
         }
 
-        $censoredWords = Censorship::getInstance()->test($newValue);
+        $censoredWords = Censorship::getInstance()->test($textContent);
         if ($censoredWords) {
             WCF::getTPL()->assign('censoredWords', $censoredWords);
             throw new UserInputException($option->optionName, 'censoredWordsFound');