Browse Source

Bugfix: HTML injection in post editing (introduces and fixes yet another bug)

pull/40/head
Michael Foster 11 years ago
parent
commit
ea2b8cce07
  1. 4
      inc/functions.php
  2. 9
      inc/mod/pages.php
  3. 2
      templates/mod/edit_post_form.html

4
inc/functions.php

@ -1420,7 +1420,7 @@ function markup(&$body, $track_cites = false) {
$body = str_replace("\r", '', $body); $body = str_replace("\r", '', $body);
$body = utf8tohtml($body); $body = utf8tohtml($body);
if (preg_match_all('@<tinyboard ([\w\s]+)>(.+)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) { if (preg_match_all('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) {
$skip_chars = 0; $skip_chars = 0;
$body_tmp = $body; $body_tmp = $body;
$end_markup = false; $end_markup = false;
@ -1436,7 +1436,7 @@ function markup(&$body, $track_cites = false) {
if ($modifier['type'] == 'ban message') { if ($modifier['type'] == 'ban message') {
// Public ban message // Public ban message
$replacement = sprintf($config['mod']['ban_message'], $modifier['content']); $replacement = sprintf($config['mod']['ban_message'], html_entity_decode($modifier['content']));
if ($end_markup) { if ($end_markup) {
$body .= $replacement; $body .= $replacement;
} }

9
inc/mod/pages.php

@ -1222,7 +1222,7 @@ function mod_ban_post($board, $delete, $post, $token = false) {
$_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']); $_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']);
$query = prepare(sprintf('UPDATE `posts_%s` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board)); $query = prepare(sprintf('UPDATE `posts_%s` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board));
$query->bindValue(':id', $post); $query->bindValue(':id', $post);
$query->bindValue(':body_nomarkup', sprintf("\n<tinyboard ban message>%s</tinyboard>", $_POST['message'])); $query->bindValue(':body_nomarkup', sprintf("\n<tinyboard ban message>%s</tinyboard>", utf8tohtml($_POST['message'])));
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
rebuildPost($post); rebuildPost($post);
@ -1298,10 +1298,13 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']); header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']);
} else { } else {
if ($config['minify_html']) { if ($config['minify_html']) {
$post['body_nomarkup'] = str_replace("\n", '&#010;', $post['body_nomarkup']); // $post['body_nomarkup'] = str_replace("\n", '&#010;', $post['body_nomarkup']);
$post['body'] = str_replace("\n", '&#010;', $post['body']); // $post['body'] = str_replace("\n", '&#010;', $post['body']);
} }
// Minifying this page causes an issue with newlines in the textarea. This is a temporary solution.
$config['minify_html'] = false;
mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post)); mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post));
} }
} }

2
templates/mod/edit_post_form.html

@ -32,7 +32,7 @@
{% trans %}Comment{% endtrans %} {% trans %}Comment{% endtrans %}
</th> </th>
<td> <td>
<textarea name="body" id="body" rows="8" cols="35">{% if raw %}{{ post.body | e }}{% else %}{{ post.body_nomarkup }}{% endif %}</textarea> <textarea name="body" id="body" rows="8" cols="35">{% if raw %}{{ post.body|e }}{% else %}{{ post.body_nomarkup|e }}{% endif %}</textarea>
</td> </td>
</tr> </tr>
</table> </table>

Loading…
Cancel
Save