james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

escape more data, fix an XSS hole

Browse Source
This commit is contained in:
Shish 2010-07-26 17:21:29 +01:00
parent faf313d5ba
commit c0cebccb27
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
contrib/rss_images/main.php
View File

@ -12,7 +12,7 @@ class RSS_Images extends SimpleExtension {
$title = $config->get_string('title'); $title = $config->get_string('title');
if(count($event->search_terms) > 0) { if(count($event->search_terms) > 0) {
$search = implode(' ', $event->search_terms); $search = html_escape(implode(' ', $event->search_terms));
$page->add_header("<link id=\"images\" rel=\"alternate\" type=\"application/rss+xml\" ". $page->add_header("<link id=\"images\" rel=\"alternate\" type=\"application/rss+xml\" ".
"title=\"$title - Images with tags: $search\" href=\"".make_link("rss/images/$search/1")."\" />"); "title=\"$title - Images with tags: $search\" href=\"".make_link("rss/images/$search/1")."\" />");
} }
@ -42,14 +42,14 @@ class RSS_Images extends SimpleExtension {
$data = ""; $data = "";
foreach($images as $image) { foreach($images as $image) {
$link = make_http(make_link("post/view/{$image->id}")); $link = make_http(make_link("post/view/{$image->id}"));
$tags = $image->get_tag_list(); $tags = html_escape($image->get_tag_list());
$owner = $image->get_owner(); $owner = $image->get_owner();
$thumb_url = $image->get_thumb_link(); $thumb_url = $image->get_thumb_link();
$image_url = $image->get_image_link(); $image_url = $image->get_image_link();
$posted = date(DATE_RSS, $image->posted_timestamp); $posted = date(DATE_RSS, $image->posted_timestamp);
$content = html_escape( $content = html_escape(
"<p>" . Themelet::build_thumb_html($image) . "</p>" . "<p>" . Themelet::build_thumb_html($image) . "</p>" .
"<p>Uploaded by " . $owner->name . "</p>" "<p>Uploaded by " . html_escape($owner->name) . "</p>"
); );
$data .= " $data .= "
@ -69,7 +69,7 @@ class RSS_Images extends SimpleExtension {
$base_href = make_http($config->get_string('base_href')); $base_href = make_http($config->get_string('base_href'));
$search = ""; $search = "";
if(count($search_terms) > 0) { if(count($search_terms) > 0) {
$search = html_escape(implode(" ", $search_terms)) . "/"; $search = url_escape(implode(" ", $search_terms)) . "/";
} }
if($page_number > 1) { if($page_number > 1) {