kashire/lainchan
4
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Bugfix: HTML injection in post editing (introduces and fixes yet another bug)

Browse Source
This commit is contained in:
Michael Foster 2013-07-31 21:24:17 -04:00
parent a5312ebe89
commit ea2b8cce07
3 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
inc/functions.php
View File

@ -1420,7 +1420,7 @@ function markup(&$body, $track_cites = false) {
$body = str_replace("\r", '', $body);
$body = utf8tohtml($body);
if (preg_match_all('@<tinyboard ([\w\s]+)>(.+)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) {
if (preg_match_all('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) {
$skip_chars = 0;
$body_tmp = $body;
$end_markup = false;
@ -1436,7 +1436,7 @@ function markup(&$body, $track_cites = false) {
if ($modifier['type'] == 'ban message') {
// Public ban message
$replacement = sprintf($config['mod']['ban_message'], $modifier['content']);
$replacement = sprintf($config['mod']['ban_message'], html_entity_decode($modifier['content']));
if ($end_markup) {
$body .= $replacement;
}

9
inc/mod/pages.php
View File

@ -1222,7 +1222,7 @@ function mod_ban_post($board, $delete, $post, $token = false) {
$_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']);
$query = prepare(sprintf('UPDATE `posts_%s` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board));
$query->bindValue(':id', $post);
$query->bindValue(':body_nomarkup', sprintf("\n<tinyboard ban message>%s</tinyboard>", $_POST['message']));
$query->bindValue(':body_nomarkup', sprintf("\n<tinyboard ban message>%s</tinyboard>", utf8tohtml($_POST['message'])));
$query->execute() or error(db_error($query));
rebuildPost($post);
@ -1298,10 +1298,13 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']);
} else {
if ($config['minify_html']) {
$post['body_nomarkup'] = str_replace("\n", '&#010;', $post['body_nomarkup']);
$post['body'] = str_replace("\n", '&#010;', $post['body']);
// $post['body_nomarkup'] = str_replace("\n", '&#010;', $post['body_nomarkup']);
// $post['body'] = str_replace("\n", '&#010;', $post['body']);
}
// Minifying this page causes an issue with newlines in the textarea. This is a temporary solution.
$config['minify_html'] = false;
mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post));
}
}

2
templates/mod/edit_post_form.html
View File

@ -32,7 +32,7 @@
{% trans %}Comment{% endtrans %}
</th>
<td>
<textarea name="body" id="body" rows="8" cols="35">{% if raw %}{{ post.body | e }}{% else %}{{ post.body_nomarkup }}{% endif %}</textarea>
<textarea name="body" id="body" rows="8" cols="35">{% if raw %}{{ post.body|e }}{% else %}{{ post.body_nomarkup|e }}{% endif %}</textarea>
</td>
</tr>
</table>