Changeset 28343 for extensions/ContactForm

Timestamp:

May 4, 2014, 4:00:55 PM (10 years ago)

Author:

mistic100

Message:

fix escaping

Location:

extensions/ContactForm

Files:

• admin/config.php (modified) (2 diffs)
• admin/template/config.tpl (modified) (2 diffs)
• maintain.inc.php (modified) (1 diff)

extensions/ContactForm/admin/config.php

@@ -25 +25 @@
     'cf_must_initialize' =>   false,
     'cf_menu_link' =>         isset($_POST['cf_menu_link']),
-    'cf_subject_prefix' =>    trim($_POST['cf_subject_prefix']),
-    'cf_default_subject' =>   trim($_POST['cf_default_subject']),
+    'cf_subject_prefix' =>    stripslashes(trim($_POST['cf_subject_prefix'])),
+    'cf_default_subject' =>   stripslashes(trim($_POST['cf_default_subject'])),
     'cf_allow_guest' =>       isset($_POST['cf_allow_guest']),
     'cf_mandatory_mail' =>    isset($_POST['cf_mandatory_mail']),
@@ -36 +36 @@
   $conf['ContactForm_after'] = $_POST['cf_after'];
 
-  conf_update_param('ContactForm', serialize($conf['ContactForm']));
+  conf_update_param('ContactForm', pwg_db_real_escape_string(serialize($conf['ContactForm'])));
   conf_update_param('ContactForm_before', $conf['ContactForm_before']);
   conf_update_param('ContactForm_after', $conf['ContactForm_after']);

extensions/ContactForm/admin/template/config.tpl

@@ -58 +58 @@
       <li>
         <label>
-          <input type="text" name="cf_default_subject" value="{$cf_default_subject}" size="50">
+          <input type="text" name="cf_default_subject" value="{$cf_default_subject|escape:html}" size="50">
           {'Default e-mail subject'|translate} ({'can be translated with LocalFiles Editor plugin'|translate})
         </label>
@@ -64 +64 @@
       <li>
         <label>
-          <input type="text" name="cf_subject_prefix" value="{$cf_subject_prefix}" size="50">
+          <input type="text" name="cf_subject_prefix" value="{$cf_subject_prefix|escape:html}" size="50">
           {'Prefix of the sent e-mail subject'|translate} ({'you can use "%gallery_title%"'|translate})
         </label>

extensions/ContactForm/maintain.inc.php

@@ -95 +95 @@
       // save config
       $conf['ContactForm'] = serialize($new_conf);
-      conf_update_param('ContactForm', $conf['ContactForm']);
+      conf_update_param('ContactForm', pwg_db_real_escape_string($conf['ContactForm']));
     }