james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #574 from im-mi/single-quotes-in-tags-fix

Browse Source 
Fix tags not being escaped for HTML in some cases (code injection vulnerability)
This commit is contained in:
Shish 2016-08-29 09:09:55 +01:00 committed by GitHub
commit 5691d1c3ad
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/basethemelet.class.php
View File

@ -54,7 +54,7 @@ class BaseThemelet {
$h_view_link = make_link('post/view/'.$i_id); $h_view_link = make_link('post/view/'.$i_id);
$h_thumb_link = $image->get_thumb_link(); $h_thumb_link = $image->get_thumb_link();
$h_tip = html_escape($image->get_tooltip()); $h_tip = html_escape($image->get_tooltip());
$h_tags = strtolower($image->get_tag_list()); $h_tags = html_escape(strtolower($image->get_tag_list()));
$extArr = array_flip(array('swf', 'svg', 'mp3')); //List of thumbless filetypes $extArr = array_flip(array('swf', 'svg', 'mp3')); //List of thumbless filetypes
if(!isset($extArr[$image->ext])){ if(!isset($extArr[$image->ext])){

2
ext/tag_list/theme.php
View File

@ -216,7 +216,7 @@ class TagListTheme extends Themelet {
$count = $row['calc_count']; $count = $row['calc_count'];
// if($n++) $display_html .= "\n<br/>"; // if($n++) $display_html .= "\n<br/>";
if(!is_null($config->get_string('info_link'))) { if(!is_null($config->get_string('info_link'))) {
$link = str_replace('$tag', $tag, $config->get_string('info_link')); $link = html_escape(str_replace('$tag', $tag, $config->get_string('info_link')));
$display_html .= ' <a class="tag_info_link'.$tag_category_css.'" '.$tag_category_style.'href="'.$link.'">?</a>'; $display_html .= ' <a class="tag_info_link'.$tag_category_css.'" '.$tag_category_style.'href="'.$link.'">?</a>';
} }
$link = $this->tag_link($row['tag']); $link = $this->tag_link($row['tag']);