Bugged template generator

I’ve used the bug report generator today, but it seems that it hasn’t been properly thought through.
When attempting to set a placeholder with angle brackets, they are obviously treated as markup and so break the text that is being generated in the report box.
This raises one question: Why has nobody considered escaping these special characters (opening/closing angle bracket, ampersand, and double quotes)? This provides a good attack vector to inject SSIs (if enabled), do MySQL injections and other sorts of nasty things.

Please fix ASAP, and also look for other spots that fail to properly escape these characters! There may be other parts of this forum that are broken!

You don’t have to worry about injections if there is nothing to inject into on you side of the wire.

I’m not even talking about my side but the server hosting these forums. If havoc can be wreaked, it’s going to be there.

Let me reassure you that this isn’t the case…
The reason these special characters are not escaped in the bug report template… is because that template is just that… an actual message template… subject to all the rules of any other message on these forums…
As such if they were escaped… you wouldn’t be able to use formatting in these posts either.

It is no more or less prone to injection attacks than this very message I am typing here… and I am pretty sure that these messages have a very strict control over what characters they interpret and how…

Furthermore… if you go to https://forums.unrealengine.com/ you might see a very familiar page greeting you…

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.