[geeklog-cvs] geeklog: Fixed XSS (reported by Gerendi Sandor Attila)

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/1f2c0ab2b681
changeset: 7200:1f2c0ab2b681
user:      Dirk Haun <dirk@xxxxxxxxxxxxxx>
date:      Wed Jul 29 19:49:55 2009 +0200
description:
Fixed XSS (reported by Gerendi Sandor Attila)

diffstat:

 public_html/profiles.php |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (21 lines):

diff -r 3e15c8a33aa2 -r 1f2c0ab2b681 public_html/profiles.php
--- a/public_html/profiles.php  Sun Jun 21 20:56:20 2009 +0200
+++ b/public_html/profiles.php  Wed Jul 29 19:49:55 2009 +0200
@@ -231,7 +231,7 @@
             $mail_template->set_var ('lang_subject', $LANG08[13]);
             $mail_template->set_var ('subject', $subject);
             $mail_template->set_var ('lang_message', $LANG08[14]);
-            $mail_template->set_var ('message', $message);
+            $mail_template->set_var ('message', htmlspecialchars($message));
             $mail_template->set_var ('lang_nohtml', $LANG08[15]);
             $mail_template->set_var ('lang_submit', $LANG08[16]);
             $mail_template->set_var ('uid', $uid);
@@ -421,7 +421,7 @@
     $mail_template->set_var('lang_toemailaddress', $LANG08[19]);
     $mail_template->set_var('toemail', $toemail);
     $mail_template->set_var('lang_shortmessage', $LANG08[27]);
-    $mail_template->set_var('shortmsg', $shortmsg);
+    $mail_template->set_var('shortmsg', htmlspecialchars($shortmsg));
     $mail_template->set_var('lang_warning', $LANG08[22]);
     $mail_template->set_var('lang_sendmessage', $LANG08[16]);
     $mail_template->set_var('story_id',$sid);
_______________________________________________
geeklog-cvs mailing list
geeklog-cvs@xxxxxxxxxxxxxxxxx
http://eight.pairlist.net/mailman/listinfo/geeklog-cvs