Changeset 26918


Ignore:
Timestamp:
Jan 23, 2014, 12:07:23 PM (10 years ago)
Author:
mistic100
Message:

fix XSS on website field (see bug:3029)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • extensions/GuestBook/include/functions_comment.inc.php

    r26851 r26918  
    8888 
    8989  // website
    90   if (!empty($comm['website']) and !preg_match('/^(https?:\/\/)/i', $comm['website']))
    91   {
    92     $comm['website'] = 'http://'.$comm['website'];
    93   }
    94   if (!empty($comm['website']) and !url_check_format($comm['website']))
    95   {
    96     $page['errors'][] = l10n('invalid website address');
    97     $comment_action='reject';
     90  if (!empty($comm['website']))
     91  {
     92    $comm['website'] = strip_tags($comm['website']);
     93    if (!preg_match('/^(https?:\/\/)/i', $comm['website']))
     94    {
     95      $comm['website'] = 'http://'.$comm['website'];
     96    }
     97    if (!url_check_format($comm['website']))
     98    {
     99      $page['errors'][] = l10n('invalid website address');
     100      $comment_action='reject';
     101    }
    98102  }
    99103 
Note: See TracChangeset for help on using the changeset viewer.