Changeset 26918


Ignore:
Timestamp:
01/23/14 12:07:23 (6 years ago)
Author:
mistic100
Message:

fix XSS on website field (see bug:3029)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • extensions/GuestBook/include/functions_comment.inc.php

    r26851 r26918  
    8888   
    8989  // website 
    90   if (!empty($comm['website']) and !preg_match('/^(https?:\/\/)/i', $comm['website'])) 
    91   { 
    92     $comm['website'] = 'http://'.$comm['website']; 
    93   } 
    94   if (!empty($comm['website']) and !url_check_format($comm['website'])) 
    95   { 
    96     $page['errors'][] = l10n('invalid website address'); 
    97     $comment_action='reject'; 
     90  if (!empty($comm['website'])) 
     91  { 
     92    $comm['website'] = strip_tags($comm['website']); 
     93    if (!preg_match('/^(https?:\/\/)/i', $comm['website'])) 
     94    { 
     95      $comm['website'] = 'http://'.$comm['website']; 
     96    } 
     97    if (!url_check_format($comm['website'])) 
     98    { 
     99      $page['errors'][] = l10n('invalid website address'); 
     100      $comment_action='reject'; 
     101    } 
    98102  } 
    99103   
Note: See TracChangeset for help on using the changeset viewer.