From 087e41c48a53e4e6892cd327a3b8598777b62608 Mon Sep 17 00:00:00 2001 From: Savetheinternet Date: Mon, 22 Aug 2011 19:00:58 +1000 Subject: [PATCH] XSS no longer possible in some sections of moderator interface. Unicode accepted in more places --- mod.php | 56 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/mod.php b/mod.php index 7bc53827..30315971 100644 --- a/mod.php +++ b/mod.php @@ -109,7 +109,7 @@ 'no subject' ) . ' — by ' . - $_mod['username'] . + utf8tohtml($_mod['username']) . ' at ' . date($config['post_date'], $notice['time']) . ''; @@ -252,10 +252,10 @@ $body = '

' . 'Are you sure you want to do that?' . 'You clicked ' . - '?/' . htmlentities($uri) . '' . + '?/' . utf8tohtml($uri) . '' . ' but had Javascript disabled, so we weren\'t able to serve the confirmation dialog.' . '

' . - '

Confirm.

'; + '

Confirm.

'; echo Element('page.html', Array( 'config'=>$config, @@ -280,7 +280,7 @@ $query->execute() or error(db_error($query)); while($log = $query->fetch()) { - $log['text'] = htmlentities($log['text']); + $log['text'] = utf8tohtml($log['text']); $log['text'] = preg_replace('/(\d+\.\d+\.\d+\.\d+)/', '$1', $log['text']); $body .= '' . @@ -371,7 +371,7 @@ echo Element('page.html', Array( 'config'=>$config, - 'title'=>'Installed "' . htmlentities($theme['name']) . '"', + 'title'=>'Installed "' . utf8tohtml($theme['name']) . '"', 'body'=>$body, 'mod'=>true ) @@ -388,8 +388,8 @@ switch($c['type']) { case 'text': default: - $body .= ''; } @@ -404,7 +404,7 @@ echo Element('page.html', Array( 'config'=>$config, - 'title'=>'Installing "' . htmlentities($theme['name']) . '"', + 'title'=>'Installing "' . utf8tohtml($theme['name']) . '"', 'body'=>$body, 'mod'=>true ) @@ -433,11 +433,11 @@ $body .= '' . 'Name' . - '' . htmlentities($theme['name']) . '' . + '' . utf8tohtml($theme['name']) . '' . '' . '' . 'Version' . - '' . htmlentities($theme['version']) . '' . + '' . utf8tohtml($theme['version']) . '' . '' . '' . 'Description' . @@ -538,7 +538,7 @@ 'no subject' ) . ' — by ' . - $_mod['username'] . + utf8tohtml($_mod['username']) . ' at ' . date($config['post_date'], $notice['time']) . '

' . $notice['body'] . '

'; @@ -590,7 +590,7 @@ '' . 'Name' . (hasPermission($config['mod']['news_custom']) ? - '' + '' : '' . $mod['username'] . '') . '' . @@ -720,7 +720,7 @@ (!$pm['username'] ? '??' : - '' . htmlentities($pm['username']) . '' + '' . utf8tohtml($pm['username']) . '' ) . '' . @@ -729,7 +729,7 @@ ($__to === false ? '??' : - '' . htmlentities($__to) . '' + '' . utf8tohtml($__to) . '' ) . '' : '') . @@ -789,7 +789,7 @@ echo Element('page.html', Array( 'config'=>$config, 'title'=>'PM sent', - 'body'=>'

Message sent successfully to ' . htmlentities($to['username']) . '.

', + 'body'=>'

Message sent successfully to ' . utf8tohtml($to['username']) . '.

', 'mod'=>true ) ); @@ -815,8 +815,8 @@ 'To' . (hasPermission($config['mod']['editusers']) ? - '' . htmlentities($to['username']) . '' : - htmlentities($to['username']) + '' . utf8tohtml($to['username']) . '' : + utf8tohtml($to['username']) ) . '' . @@ -830,7 +830,7 @@ echo Element('page.html', Array( 'config'=>$config, - 'title'=>'New PM for ' . htmlentities($to['username']), + 'title'=>'New PM for ' . utf8tohtml($to['username']), 'body'=>$body, 'mod'=>true ) @@ -842,7 +842,7 @@ $body = '

Search

' . '

' . '' . '' . '

' . @@ -944,7 +944,7 @@ '' . '' . - $_mod['username'] . + utf8tohtml($_mod['username']) . '' . '' . @@ -957,7 +957,7 @@ '' . ($_mod['last'] ? - '' . ago($_mod['last']) . '' + '' . ago($_mod['last']) . '' : 'never') . '' . @@ -1201,8 +1201,8 @@ 'Username' . (isset($change_password_only) ? - $_mod['username'] - : '') . + utf8tohtml($_mod['username']) + : '') . '' . 'Password (new; optional)' . @@ -1474,7 +1474,7 @@ ''. $ban['ip'] . '' - : $ban['ip']) . + : utf8tohtml($ban['ip'])) . '' . @@ -1513,7 +1513,7 @@ '?'))) ) : - $ban['username'] + utf8tohtml($ban['username']) ) . '' . @@ -2147,9 +2147,9 @@ $_query->execute() or error(db_error($_query)); if($_mod = $_query->fetch()) { if(hasPermission($config['mod']['editusers'])) - $staff = '' . htmlentities($_mod['username']) . ''; + $staff = '' . utf8tohtml($_mod['username']) . ''; else - $staff = $_mod['username']; + $staff = utf8tohtml($_mod['username']); } else { $staff = '??'; } @@ -2249,7 +2249,7 @@ '?'))) ) : - $ban['username'] + utf8tohtml($ban['username']) ) . '' .