XSS in "manage users" page (mod log)

Mod log permissions fix Tiny display change in "manage users" page
2012-01-07 15:38:18 +11:00 · 2012-01-07 15:38:18 +11:00 · 3f05a9282b
commit 3f05a9282b
parent 20f9dbab47
1 changed files with 13 additions and 4 deletions
--- a/mod.php
+++ b/mod.php
@ -1023,6 +1023,13 @@
 			$query = query("SELECT *, (SELECT `time` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM `mods` ORDER BY `type` DESC,`id`") or error(db_error());
 			while($_mod = $query->fetch()) {				
 				$type = $_mod['type'] == JANITOR ? 'Janitor' : ($_mod['type'] == MOD ? 'Mod' : 'Admin');
+				
+				$_mod['boards'] = explode(',', $_mod['boards']);
+				foreach($_mod['boards'] as &$_board) {
+					if($_board != '*')
+						$_board = '/' . $_board . '/';
+				}
+				
 				$body .= '<tr>' .
 					'<td>' .
 						$_mod['id'] .
@ -1037,13 +1044,15 @@
 					'</td>' .
 					
 					'<td>' .
-						str_replace(',', ', ', $_mod['boards']) .
+						implode(', ', $_mod['boards']) .
 					'</td>' .
 					
 					'<td>' .
+						(hasPermission($config['mod']['modlog']) ?
 							($_mod['last'] ?
-							'<span title="' . utf8tohtml($_mod['action']) . '">' . ago($_mod['last']) . '</span>'
-						: '<em>never</em>') .
+								'<span title="' . str_replace('"', '&quot;', utf8tohtml($_mod['action'])) . '">' . ago($_mod['last']) . '</span>'
+							: '<em>never</em>')
+						: '-') .
 					'</td>' .
 					
 					'<td style="white-space:nowrap">' .