james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #576 from im-mi/fix-pool-description-code-injection

Browse Source 
Update pool description formatter (code injection vulnerability)
This commit is contained in:
Shish 2016-09-01 11:18:37 +01:00 committed by GitHub
commit 29bdc5da22
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ext/pools/theme.php
View File

@ -154,8 +154,9 @@ class PoolsTheme extends Themelet {
}
}
$bb = new BBCode();
$page->add_block(new Block(html_escape($pool['title']), $bb->format($pool['description']), "main", 10));
$tfe = new TextFormattingEvent($pool['description']);
send_event($tfe);
$page->add_block(new Block(html_escape($pool['title']), $tfe->formatted, "main", 10));
}
}