From ea2b8cce077a092e0cbf136f9a45158668cc5ecf Mon Sep 17 00:00:00 2001 From: Michael Foster Date: Wed, 31 Jul 2013 21:24:17 -0400 Subject: [PATCH] Bugfix: HTML injection in post editing (introduces and fixes yet another bug) --- inc/functions.php | 4 ++-- inc/mod/pages.php | 9 ++++++--- templates/mod/edit_post_form.html | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index b40b40d2..9e1ce1fa 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1420,7 +1420,7 @@ function markup(&$body, $track_cites = false) { $body = str_replace("\r", '', $body); $body = utf8tohtml($body); - if (preg_match_all('@<tinyboard ([\w\s]+)>(.+)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) { + if (preg_match_all('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) { $skip_chars = 0; $body_tmp = $body; $end_markup = false; @@ -1436,7 +1436,7 @@ function markup(&$body, $track_cites = false) { if ($modifier['type'] == 'ban message') { // Public ban message - $replacement = sprintf($config['mod']['ban_message'], $modifier['content']); + $replacement = sprintf($config['mod']['ban_message'], html_entity_decode($modifier['content'])); if ($end_markup) { $body .= $replacement; } diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 7edc0ee6..2808dc56 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -1222,7 +1222,7 @@ function mod_ban_post($board, $delete, $post, $token = false) { $_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']); $query = prepare(sprintf('UPDATE `posts_%s` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board)); $query->bindValue(':id', $post); - $query->bindValue(':body_nomarkup', sprintf("\n%s", $_POST['message'])); + $query->bindValue(':body_nomarkup', sprintf("\n%s", utf8tohtml($_POST['message']))); $query->execute() or error(db_error($query)); rebuildPost($post); @@ -1298,10 +1298,13 @@ function mod_edit_post($board, $edit_raw_html, $postID) { header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']); } else { if ($config['minify_html']) { - $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); - $post['body'] = str_replace("\n", ' ', $post['body']); + // $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); + // $post['body'] = str_replace("\n", ' ', $post['body']); } + // Minifying this page causes an issue with newlines in the textarea. This is a temporary solution. + $config['minify_html'] = false; + mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post)); } } diff --git a/templates/mod/edit_post_form.html b/templates/mod/edit_post_form.html index 146e725b..b9359c68 100644 --- a/templates/mod/edit_post_form.html +++ b/templates/mod/edit_post_form.html @@ -32,7 +32,7 @@ {% trans %}Comment{% endtrans %} - +