user-notes.php

Sherif Ramadan Sat, 24 Nov 2012 15:16:50 -0800

Commit:    581ce9406f6bc1171df3a9efd405c78c323ab34e
Author:    Sherif Ramadan <[email protected]>         Sat, 24 Nov 2012 18:12:58 
-0500
Parents:   532a6f0200dd439a1c61bc0955531d3a51e13aab
Branches:  master


Link:       
http://git.php.net/?p=web/master.git;a=commitdiff;h=581ce9406f6bc1171df3a9efd405c78c323ab34e

Log:
Fixed XSS vulnerabilities in preview note action and added syntax highlighting 
for proper preview when editing a note.

Changed paths:
  M  manage/user-notes.php


Diff:
diff --git a/manage/user-notes.php b/manage/user-notes.php
index f1d2e08..ce01666 100644
--- a/manage/user-notes.php
+++ b/manage/user-notes.php
@@ -294,7 +294,7 @@ case 'edit':
     $row = note_get_by_id($id);
 
     $email = (isset($_POST['email']) ? 
real_clean(html_entity_decode($_POST['email'],ENT_QUOTES)) : 
real_clean($row['user']));
-    $sect = (isset($_POST['sect']) ? real_clean($_POST['sect']) : 
real_clean($row['sect']));
+    $sect = (isset($_POST['sect']) ? 
real_clean(html_entity_decode($_POST['sect'],ENT_QUOTES)) : 
real_clean($row['sect']));
 
     if (isset($note) && $action == "edit") {
       if (db_query("UPDATE note SET 
note='".real_clean(html_entity_decode($note,ENT_QUOTES))."',user='$email',sect='$sect',updated=NOW()
 WHERE id=$id")) {
@@ -318,9 +318,9 @@ case 'edit':
     $note = isset($note) ? $note : $row['note'];
 
     if ($action == "preview") {
-      echo "<p class=\"notepreview\">",strip($note),
+      echo "<p class=\"notepreview\">",clean_note(strip($note)),
            "<br /><span class=\"author\">",date("d-M-Y h:i",$row['ts'])," ",
-           strip($email),"</span></p>";
+           clean(strip($email)),"</span></p>";
     }
 ?>
 <form method="post" action="<?= PHP_SELF ?>">
@@ -335,7 +335,7 @@ case 'edit':
   <td><input type="text" name="email" value="<?= clean($email) ?>" size="30" 
maxlength="80" /></td>
  </tr>
  <tr>
-  <td colspan="2"><textarea name="note" cols="70" rows="15"><?= $note 
?></textarea></td>
+  <td colspan="2"><textarea name="note" cols="70" rows="15"><?= clean($note) 
?></textarea></td>
  </tr>
  <tr>
   <td align="center" colspan="2">


--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-WEBMASTER] com web/master: Fixed XSS vulnerabilities in preview note action and added syntax highlighting for proper preview when editing a note.: manage/user-notes.php

Reply via email to