XSS no longer possible in some sections of moderator interface. Unicode accepted in more places

This commit is contained in:
Savetheinternet 2011-08-22 19:00:58 +10:00
parent 6e806e3520
commit 087e41c48a

56
mod.php
View File

@ -109,7 +109,7 @@
'<em>no subject</em>' '<em>no subject</em>'
) . ) .
'</a><span class="unimportant"> — by ' . '</a><span class="unimportant"> — by ' .
$_mod['username'] . utf8tohtml($_mod['username']) .
' at ' . ' at ' .
date($config['post_date'], $notice['time']) . date($config['post_date'], $notice['time']) .
'</span></li>'; '</span></li>';
@ -252,10 +252,10 @@
$body = '<p style="text-align:center">' . $body = '<p style="text-align:center">' .
'<span class="heading" style="margin-bottom:6px">Are you sure you want to do that?</span>' . '<span class="heading" style="margin-bottom:6px">Are you sure you want to do that?</span>' .
'You clicked ' . 'You clicked ' .
'<strong>?/' . htmlentities($uri) . '</strong>' . '<strong>?/' . utf8tohtml($uri) . '</strong>' .
' but had Javascript disabled, so we weren\'t able to serve the confirmation dialog.' . ' but had Javascript disabled, so we weren\'t able to serve the confirmation dialog.' .
'</p>' . '</p>' .
'<p style="text-align:center"><a style="margin:block;font-size:150%;font-weight:bold" href="?/' . htmlentities($uri) . '">Confirm.</a></p>'; '<p style="text-align:center"><a style="margin:block;font-size:150%;font-weight:bold" href="?/' . utf8tohtml($uri) . '">Confirm.</a></p>';
echo Element('page.html', Array( echo Element('page.html', Array(
'config'=>$config, 'config'=>$config,
@ -280,7 +280,7 @@
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
while($log = $query->fetch()) { while($log = $query->fetch()) {
$log['text'] = htmlentities($log['text']); $log['text'] = utf8tohtml($log['text']);
$log['text'] = preg_replace('/(\d+\.\d+\.\d+\.\d+)/', '<a href="?/IP/$1">$1</a>', $log['text']); $log['text'] = preg_replace('/(\d+\.\d+\.\d+\.\d+)/', '<a href="?/IP/$1">$1</a>', $log['text']);
$body .= '<tr>' . $body .= '<tr>' .
@ -371,7 +371,7 @@
echo Element('page.html', Array( echo Element('page.html', Array(
'config'=>$config, 'config'=>$config,
'title'=>'Installed "' . htmlentities($theme['name']) . '"', 'title'=>'Installed "' . utf8tohtml($theme['name']) . '"',
'body'=>$body, 'body'=>$body,
'mod'=>true 'mod'=>true
) )
@ -388,8 +388,8 @@
switch($c['type']) { switch($c['type']) {
case 'text': case 'text':
default: default:
$body .= '<input type="text" name="' . htmlentities($c['name']) . '" ' . $body .= '<input type="text" name="' . utf8tohtml($c['name']) . '" ' .
(isset($c['default']) ? 'value="' . htmlentities($c['default']) . '" ' :'') . (isset($c['default']) ? 'value="' . utf8tohtml($c['default']) . '" ' :'') .
(isset($c['size']) ? 'size="' . (int)$c['size'] . '" ' :'') . (isset($c['size']) ? 'size="' . (int)$c['size'] . '" ' :'') .
'/>'; '/>';
} }
@ -404,7 +404,7 @@
echo Element('page.html', Array( echo Element('page.html', Array(
'config'=>$config, 'config'=>$config,
'title'=>'Installing "' . htmlentities($theme['name']) . '"', 'title'=>'Installing "' . utf8tohtml($theme['name']) . '"',
'body'=>$body, 'body'=>$body,
'mod'=>true 'mod'=>true
) )
@ -433,11 +433,11 @@
$body .= '<tr>' . $body .= '<tr>' .
'<th class="minimal">Name</th>' . '<th class="minimal">Name</th>' .
'<td>' . htmlentities($theme['name']) . '</td>' . '<td>' . utf8tohtml($theme['name']) . '</td>' .
'</tr>' . '</tr>' .
'<tr>' . '<tr>' .
'<th class="minimal">Version</th>' . '<th class="minimal">Version</th>' .
'<td>' . htmlentities($theme['version']) . '</td>' . '<td>' . utf8tohtml($theme['version']) . '</td>' .
'</tr>' . '</tr>' .
'<tr>' . '<tr>' .
'<th class="minimal">Description</th>' . '<th class="minimal">Description</th>' .
@ -538,7 +538,7 @@
'<em>no subject</em>' '<em>no subject</em>'
) . ) .
'<span class="unimportant"> — by ' . '<span class="unimportant"> — by ' .
$_mod['username'] . utf8tohtml($_mod['username']) .
' at ' . ' at ' .
date($config['post_date'], $notice['time']) . date($config['post_date'], $notice['time']) .
'</span></h2><p>' . $notice['body'] . '</p></div>'; '</span></h2><p>' . $notice['body'] . '</p></div>';
@ -590,7 +590,7 @@
'<tr>' . '<tr>' .
'<th>Name</th>' . '<th>Name</th>' .
(hasPermission($config['mod']['news_custom']) ? (hasPermission($config['mod']['news_custom']) ?
'<td><input type="text" size="55" name="name" id="name" value="' . htmlentities($mod['username']) . '" /></td>' '<td><input type="text" size="55" name="name" id="name" value="' . utf8tohtml($mod['username']) . '" /></td>'
: :
'<td>' . $mod['username'] . '</td>') . '<td>' . $mod['username'] . '</td>') .
'</tr><tr>' . '</tr><tr>' .
@ -720,7 +720,7 @@
(!$pm['username'] ? (!$pm['username'] ?
'<em>??</em>' '<em>??</em>'
: :
'<a href="?/new_PM/' . $pm['sender'] . '">' . htmlentities($pm['username']) . '</a>' '<a href="?/new_PM/' . $pm['sender'] . '">' . utf8tohtml($pm['username']) . '</a>'
) . ) .
'</td></tr>' . '</td></tr>' .
@ -729,7 +729,7 @@
($__to === false ? ($__to === false ?
'<em>??</em>' '<em>??</em>'
: :
'<a href="?/new_PM/' . $pm['to'] . '">' . htmlentities($__to) . '</a>' '<a href="?/new_PM/' . $pm['to'] . '">' . utf8tohtml($__to) . '</a>'
) . ) .
'</td></tr>' '</td></tr>'
: '') . : '') .
@ -789,7 +789,7 @@
echo Element('page.html', Array( echo Element('page.html', Array(
'config'=>$config, 'config'=>$config,
'title'=>'PM sent', 'title'=>'PM sent',
'body'=>'<p style="text-align:center">Message sent successfully to ' . htmlentities($to['username']) . '.</p>', 'body'=>'<p style="text-align:center">Message sent successfully to ' . utf8tohtml($to['username']) . '.</p>',
'mod'=>true 'mod'=>true
) )
); );
@ -815,8 +815,8 @@
'<tr><th>To</th><td>' . '<tr><th>To</th><td>' .
(hasPermission($config['mod']['editusers']) ? (hasPermission($config['mod']['editusers']) ?
'<a href="?/users/' . $to['id'] . '">' . htmlentities($to['username']) . '</a>' : '<a href="?/users/' . $to['id'] . '">' . utf8tohtml($to['username']) . '</a>' :
htmlentities($to['username']) utf8tohtml($to['username'])
) . ) .
'</td>' . '</td>' .
@ -830,7 +830,7 @@
echo Element('page.html', Array( echo Element('page.html', Array(
'config'=>$config, 'config'=>$config,
'title'=>'New PM for ' . htmlentities($to['username']), 'title'=>'New PM for ' . utf8tohtml($to['username']),
'body'=>$body, 'body'=>$body,
'mod'=>true 'mod'=>true
) )
@ -842,7 +842,7 @@
$body = '<div class="ban"><h2>Search</h2><form style="display:inline" action="?/search" method="post">' . $body = '<div class="ban"><h2>Search</h2><form style="display:inline" action="?/search" method="post">' .
'<p><label style="display:inline" for="search">Phrase:</label> ' . '<p><label style="display:inline" for="search">Phrase:</label> ' .
'<input id="search" name="search" type="text" size="35" ' . '<input id="search" name="search" type="text" size="35" ' .
(isset($_POST['search']) ? 'value="' . htmlentities($_POST['search']) . '" ' : '') . (isset($_POST['search']) ? 'value="' . utf8tohtml($_POST['search']) . '" ' : '') .
'/>' . '/>' .
'<input type="submit" value="Search" />' . '<input type="submit" value="Search" />' .
'</p></form>' . '</p></form>' .
@ -944,7 +944,7 @@
'</td>' . '</td>' .
'<td>' . '<td>' .
$_mod['username'] . utf8tohtml($_mod['username']) .
'</td>' . '</td>' .
'<td>' . '<td>' .
@ -957,7 +957,7 @@
'<td>' . '<td>' .
($_mod['last'] ? ($_mod['last'] ?
'<span title="' . htmlentities($_mod['action']) . '">' . ago($_mod['last']) . '</span>' '<span title="' . utf8tohtml($_mod['action']) . '">' . ago($_mod['last']) . '</span>'
: '<em>never</em>') . : '<em>never</em>') .
'</td>' . '</td>' .
@ -1201,8 +1201,8 @@
'<tr><th>Username</th><td>' . '<tr><th>Username</th><td>' .
(isset($change_password_only) ? (isset($change_password_only) ?
$_mod['username'] utf8tohtml($_mod['username'])
: '<input size="20" maxlength="30" type="text" name="username" value="' . $_mod['username'] . '" autocomplete="off" />') . : '<input size="20" maxlength="30" type="text" name="username" value="' . utf8tohtml($_mod['username']) . '" autocomplete="off" />') .
'</td></tr>' . '</td></tr>' .
'<tr><th>Password <span class="unimportant">(new; optional)</span></th><td><input size="20" maxlength="30" type="password" name="password" value="" autocomplete="off" /></td></tr>' . '<tr><th>Password <span class="unimportant">(new; optional)</span></th><td><input size="20" maxlength="30" type="password" name="password" value="" autocomplete="off" /></td></tr>' .
@ -1474,7 +1474,7 @@
'<a href="?/IP/' . '<a href="?/IP/' .
$ban['ip'] . $ban['ip'] .
'">'. $ban['ip'] . '</a>' '">'. $ban['ip'] . '</a>'
: $ban['ip']) . : utf8tohtml($ban['ip'])) .
'</td>' . '</td>' .
@ -1513,7 +1513,7 @@
'?'))) '?')))
) )
: :
$ban['username'] utf8tohtml($ban['username'])
) . ) .
'</td>' . '</td>' .
@ -2147,9 +2147,9 @@
$_query->execute() or error(db_error($_query)); $_query->execute() or error(db_error($_query));
if($_mod = $_query->fetch()) { if($_mod = $_query->fetch()) {
if(hasPermission($config['mod']['editusers'])) if(hasPermission($config['mod']['editusers']))
$staff = '<a href="?/users/' . $note['mod'] . '">' . htmlentities($_mod['username']) . '</a>'; $staff = '<a href="?/users/' . $note['mod'] . '">' . utf8tohtml($_mod['username']) . '</a>';
else else
$staff = $_mod['username']; $staff = utf8tohtml($_mod['username']);
} else { } else {
$staff = '<em>??</em>'; $staff = '<em>??</em>';
} }
@ -2249,7 +2249,7 @@
'?'))) '?')))
) )
: :
$ban['username'] utf8tohtml($ban['username'])
) . ) .
'</td></tr></table>' . '</td></tr></table>' .