From c1083bbea1806e9d04674c62531f9f4867dd877e Mon Sep 17 00:00:00 2001
From: im-mi <im.mi.mail.mi@gmail.com>
Date: Wed, 14 Sep 2016 17:42:32 -0400
Subject: [PATCH 1/2] Fixed comment-delete code-injection vulnerability

---
 core/util.inc.php                  | 10 ++++++++++
 ext/comment/theme.php              | 13 ++++++++-----
 themes/danbooru/comment.theme.php  | 13 ++++++++-----
 themes/danbooru2/comment.theme.php | 13 ++++++++-----
 themes/futaba/comment.theme.php    | 13 ++++++++-----
 5 files changed, 42 insertions(+), 20 deletions(-)

diff --git a/core/util.inc.php b/core/util.inc.php
index 94cf1eb0..1d5460f9 100644
--- a/core/util.inc.php
+++ b/core/util.inc.php
@@ -15,6 +15,16 @@ function html_escape($input) {
 	return htmlentities($input, ENT_QUOTES, "UTF-8");
 }
 
+/**
+ * Unescape data that was made safe for printing into HTML
+ *
+ * @param $input
+ * @return string
+ */
+function html_unescape($input) {
+	return html_entity_decode($input, ENT_QUOTES, "UTF-8");
+}
+
 /**
  * Make sure some data is safe to be used in integer context
  *
diff --git a/ext/comment/theme.php b/ext/comment/theme.php
index 20e963f9..f017bdb3 100644
--- a/ext/comment/theme.php
+++ b/ext/comment/theme.php
@@ -259,8 +259,6 @@ class CommentListTheme extends Themelet {
 		else {
 			$h_userlink = '<a class="username" href="'.make_link('user/'.$h_name).'">'.$h_name.'</a>';
 		}
-		$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
-		$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
 
 		$hb = ($comment->owner_class == "hellbanned" ? "hb" : "");
 		if($trim) {
@@ -280,9 +278,14 @@ class CommentListTheme extends Themelet {
 			}
 			$h_reply = " - <a href='javascript: replyTo($i_image_id, $i_comment_id, \"$h_name\")'>Reply</a>";
 			$h_ip = $user->can("view_ip") ? "<br>".show_ip($comment->poster_ip, "Comment posted {$comment->posted}") : "";
-			$h_del = $user->can("delete_comment") ?
-				' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
-				'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
+			$h_del = "";
+			if ($user->can("delete_comment")) {
+				$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
+				$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
+				$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
+				$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
+				$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
+			}
 			$html = "
 				<div class=\"comment $hb\" id=\"c$i_comment_id\">
 					<div class=\"info\">
diff --git a/themes/danbooru/comment.theme.php b/themes/danbooru/comment.theme.php
index 5e959e10..e7187fe5 100644
--- a/themes/danbooru/comment.theme.php
+++ b/themes/danbooru/comment.theme.php
@@ -111,12 +111,15 @@ class CustomCommentListTheme extends CommentListTheme {
 		$i_image_id = int_escape($comment->image_id);
 		$h_posted = autodate($comment->posted);
 
-		$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
-		$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
 		$h_userlink = "<a class='username' href='".make_link("user/$h_name")."'>$h_name</a>";
-		$h_del = $user->can("delete_comment") ?
-			' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
-			'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
+		$h_del = "";
+		if ($user->can("delete_comment")) {
+			$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
+			$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
+			$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
+			$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
+			$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
+		}
 		//$h_imagelink = $trim ? "<a href='".make_link("post/view/$i_image_id")."'>&gt;&gt;&gt;</a>\n" : "";
 		if($trim) {
 			return "<p class='comment'>$h_userlink $h_del<br/>$h_posted<br/>$h_comment</p>";
diff --git a/themes/danbooru2/comment.theme.php b/themes/danbooru2/comment.theme.php
index 081537bb..a9fef1dd 100644
--- a/themes/danbooru2/comment.theme.php
+++ b/themes/danbooru2/comment.theme.php
@@ -101,12 +101,15 @@ class CustomCommentListTheme extends CommentListTheme {
 		$i_image_id = int_escape($comment->image_id);
 		$h_posted = autodate($comment->posted);
 
-		$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
-		$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
 		$h_userlink = "<a class='username' href='".make_link("user/$h_name")."'>$h_name</a>";
-		$h_del = $user->can("delete_comment") ?
-			' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
-			'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
+		$h_del = "";
+		if ($user->can("delete_comment")) {
+			$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
+			$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
+			$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
+			$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
+			$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
+		}
 		//$h_imagelink = $trim ? "<a href='".make_link("post/view/$i_image_id")."'>&gt;&gt;&gt;</a>\n" : "";
 		if($trim) {
 			return "<p class='comment'>$h_userlink $h_del<br/>$h_posted<br/>$h_comment</p>";
diff --git a/themes/futaba/comment.theme.php b/themes/futaba/comment.theme.php
index 29e0b157..bd8a97b8 100644
--- a/themes/futaba/comment.theme.php
+++ b/themes/futaba/comment.theme.php
@@ -70,13 +70,16 @@ class CustomCommentListTheme extends CommentListTheme {
 		$i_comment_id = int_escape($comment->comment_id);
 		$i_image_id = int_escape($comment->image_id);
 
-		$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
-		$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
 		$h_userlink = "<a href='".make_link("user/$h_name")."'>$h_name</a>";
 		$h_date = $comment->posted;
-		$h_del = $user->can("delete_comment") ?
-			' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
-			'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
+		$h_del = "";
+		if ($user->can("delete_comment")) {
+			$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
+			$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
+			$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
+			$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
+			$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
+		}
 		$h_reply = "[<a href='".make_link("post/view/$i_image_id")."'>Reply</a>]";
 
 		if($inner_id == 0) {

From a49c5745b0ad137eee1127e9e7da2967fd56950c Mon Sep 17 00:00:00 2001
From: im-mi <im.mi.mail.mi@gmail.com>
Date: Wed, 14 Sep 2016 18:08:12 -0400
Subject: [PATCH 2/2] Use html_escape instead of htmlspecialchars

---
 ext/tag_editcloud/main.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/tag_editcloud/main.php b/ext/tag_editcloud/main.php
index aca32af7..f9325aae 100644
--- a/ext/tag_editcloud/main.php
+++ b/ext/tag_editcloud/main.php
@@ -134,7 +134,7 @@ class TagEditCloud extends Extension {
 			}
 
 			$size = sprintf("%.2f", max($row['scaled'],0.5));
-			$js = htmlspecialchars('tageditcloud_toggle_tag(this,'.json_encode($full_tag).')',ENT_QUOTES); //Ugly, but it works
+			$js = html_escape('tageditcloud_toggle_tag(this,'.json_encode($full_tag).')'); //Ugly, but it works
 
 			if(array_search($row['tag'],$image->get_tag_array()) !== FALSE) {
 				if($used_first) {