Changeset 28343


Ignore:
Timestamp:
05/04/14 16:00:55 (5 years ago)
Author:
mistic100
Message:

fix escaping

Location:
extensions/ContactForm
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • extensions/ContactForm/admin/config.php

    r25872 r28343  
    2525    'cf_must_initialize' =>   false, 
    2626    'cf_menu_link' =>         isset($_POST['cf_menu_link']), 
    27     'cf_subject_prefix' =>    trim($_POST['cf_subject_prefix']), 
    28     'cf_default_subject' =>   trim($_POST['cf_default_subject']), 
     27    'cf_subject_prefix' =>    stripslashes(trim($_POST['cf_subject_prefix'])), 
     28    'cf_default_subject' =>   stripslashes(trim($_POST['cf_default_subject'])), 
    2929    'cf_allow_guest' =>       isset($_POST['cf_allow_guest']), 
    3030    'cf_mandatory_mail' =>    isset($_POST['cf_mandatory_mail']), 
     
    3636  $conf['ContactForm_after'] = $_POST['cf_after']; 
    3737 
    38   conf_update_param('ContactForm', serialize($conf['ContactForm'])); 
     38  conf_update_param('ContactForm', pwg_db_real_escape_string(serialize($conf['ContactForm']))); 
    3939  conf_update_param('ContactForm_before', $conf['ContactForm_before']); 
    4040  conf_update_param('ContactForm_after', $conf['ContactForm_after']); 
  • extensions/ContactForm/admin/template/config.tpl

    r25872 r28343  
    5858      <li> 
    5959        <label> 
    60           <input type="text" name="cf_default_subject" value="{$cf_default_subject}" size="50"> 
     60          <input type="text" name="cf_default_subject" value="{$cf_default_subject|escape:html}" size="50"> 
    6161          {'Default e-mail subject'|translate} ({'can be translated with LocalFiles Editor plugin'|translate}) 
    6262        </label> 
     
    6464      <li> 
    6565        <label> 
    66           <input type="text" name="cf_subject_prefix" value="{$cf_subject_prefix}" size="50"> 
     66          <input type="text" name="cf_subject_prefix" value="{$cf_subject_prefix|escape:html}" size="50"> 
    6767          {'Prefix of the sent e-mail subject'|translate} ({'you can use "%gallery_title%"'|translate}) 
    6868        </label> 
  • extensions/ContactForm/maintain.inc.php

    r26057 r28343  
    9595      // save config 
    9696      $conf['ContactForm'] = serialize($new_conf); 
    97       conf_update_param('ContactForm', $conf['ContactForm']); 
     97      conf_update_param('ContactForm', pwg_db_real_escape_string($conf['ContactForm'])); 
    9898    } 
    9999 
Note: See TracChangeset for help on using the changeset viewer.