Changeset 1695

Timestamp:

Jan 4, 2007, 12:27:32 AM (17 years ago)

Author:

rub

Message:

Fixed: HTML vulnerability (Cross Site Scripting).
Fixed: All comments are displayed on comments.php

Location:

branches/branch-1_6

Files:

• admin/user_list.php (modified) (1 diff)
• comments.php (modified) (4 diffs)

branches/branch-1_6/admin/user_list.php

@@ -486 +486 @@
     
     'F_ADD_ACTION' => $base_url,
-    'F_USERNAME' => @$_GET['username'],
+    'F_USERNAME' => @htmlentities($_GET['username']),
     'F_FILTER_ACTION' => PHPWG_ROOT_PATH.'admin.php'
     ));

branches/branch-1_6/comments.php

@@ -145 +145 @@
 }
 
+// Only validated on 1.6.x
+// on 1.7, admin can see all because he can be validated or rejected comments
+$page['status_clause'] = 'validated="true"';
+
 // +-----------------------------------------------------------------------+
 // |                         comments management                           |
@@ -185 +189 @@
 
     'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
-    'F_KEYWORD'=>@$_GET['keyword'],
-    'F_AUTHOR'=>@$_GET['author'],
+    'F_KEYWORD'=>@htmlentities($_GET['keyword']),
+    'F_AUTHOR'=>@htmlentities($_GET['author']),
 
     'U_HOME' => make_index_url(),
@@ -299 +303 @@
     AND '.$page['cat_clause'].'
     AND '.$page['author_clause'].'
-    AND '.$page['keyword_clause'];
+    AND '.$page['keyword_clause'].'
+    AND '.$page['status_clause'];
 if ($user['forbidden_categories'] != '')
 {
@@ -341 +346 @@
     AND '.$page['cat_clause'].'
     AND '.$page['author_clause'].'
-    AND '.$page['keyword_clause'];
+    AND '.$page['keyword_clause'].'
+    AND '.$page['status_clause'];
 if ($user['forbidden_categories'] != '')
 {