From fd9baaea5fa420f7fc2c85fd1bcf46799a159883 Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@skiff.com>
Date: Tue, 16 Jan 2024 18:01:13 +0000
Subject: [PATCH] post.php: sanitize appeal message

---
 post.php | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/post.php b/post.php
index 0e3460d9..d39d7bc2 100644
--- a/post.php
+++ b/post.php
@@ -64,6 +64,22 @@ function strip_markup($post_body)
     }
 }
 
+/**
+ * Inserts a new ban appeal into the database.
+ *
+ * @param int $ban_id Ban id.
+ * @param string $appeal_message Appeal message.
+ * @return void
+ */
+function query_insert_ban_appeal($ban_id, $appeal_message)
+{
+    $query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
+    $query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
+    $query->bindValue(':time', time(), PDO::PARAM_INT);
+    $query->bindValue(':message', $appeal_message);
+    $query->execute() or error(db_error($query));
+}
+
 /**
  * Method handling functions
  */
@@ -537,8 +553,9 @@ function handle_post()
         $_POST['subject'] = '';
     }
 
-    if (!isset($_POST['password']))
+    if (!isset($_POST['password'])) {
         $_POST['password'] = '';
+    }
 
     if (isset($_POST['thread'])) {
         $post['op'] = false;
@@ -549,7 +566,7 @@ function handle_post()
 
 
     if (!$dropped_post) {
-        // Check for CAPTCHA right after opening the board so the "return" link is in there
+        // Check for CAPTCHA right after opening the board so the "return" link is in there.
         if ($config['recaptcha']) {
             if (!isset($_POST['g-recaptcha-response']))
                 error($config['error']['bot']);
@@ -1549,8 +1566,9 @@ function handle_post()
 function handle_appeal()
 {
     global $config;
-    if (!isset($_POST['ban_id']))
+    if (!isset($_POST['ban_id'])) {
         error($config['error']['bot']);
+    }
 
     $ban_id = (int) $_POST['ban_id'];
 
@@ -1587,11 +1605,9 @@ function handle_appeal()
         error($config['error']['toolongappeal']);
     }
 
-    $query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
-    $query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
-    $query->bindValue(':time', time(), PDO::PARAM_INT);
-    $query->bindValue(':message', $_POST['appeal']);
-    $query->execute() or error(db_error($query));
+    // Sanitize away eventual Cross Site Scripting funkyness.
+    $appeal_msg = htmlspecialchars($_POST['appeal']);
+    query_insert_ban_appeal($ban_id, $appeal_msg);
 
     displayBan($ban);
 }