fix corrupted attributes using context-aware escaping (#296)

* fix corrupted attributes using context-aware escaping Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com> * fix corrupted attributes on preferences page Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
phpList · May 24, 2018 · 5968fc7 · 5968fc7
1 parent 2ba5d93
commit 5968fc7
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 17 deletions.
diff --git a/public_html/lists/admin/subscribelib2.php b/public_html/lists/admin/subscribelib2.php
@@ -1046,7 +1046,7 @@ function ListAttributes($attributes, $attributedata, $htmlchoice = 0, $userid =
                     $output[$attr['id']] .= sprintf('</td><td class="attributeinput">
             <input type="text" name="%s"  class="attributeinput" size="%d" value="%s" id="'.$fieldname.'" />', $fieldname,
                         $textlinewidth,
-                        $_POST[$fieldname] ? htmlspecialchars(stripslashes($_POST[$fieldname])) : ($data[$attr['id']] ? $data[$attr['id']] : $attr['default_value']));
+                        $_POST[$fieldname] ? str_replace('"', '&#x22;', stripslashes($_POST[$fieldname])) : ($data[$attr['id']] ? $data[$attr['id']] : $attr['default_value']));
                     if ($attr['required']) {
                         $output[$attr['id']] .= sprintf('<script language="Javascript" type="text/javascript">addFieldToCheck("%s","%s");</script>',
                             $fieldname, $attr['name']);
@@ -1059,7 +1059,7 @@ function ListAttributes($attributes, $attributedata, $htmlchoice = 0, $userid =
                     $output[$attr['id']] .= sprintf('<tr><td class="attributeinput" colspan="2">
             <textarea name="%s" rows="%d"  class="attributeinput" cols="%d" wrap="virtual" id="'.$fieldname.'">%s</textarea>',
                         $fieldname, $textarearows, $textareacols,
-                        $_POST[$fieldname] ? htmlspecialchars(stripslashes($_POST[$fieldname])) : ($data[$attr['id']] ? htmlspecialchars(stripslashes($data[$attr['id']])) : $attr['default_value']));
+                        $_POST[$fieldname] ? str_replace(array('>', '<'), array('&gt;', '&lt;'),stripslashes($_POST[$fieldname])) : ($data[$attr['id']] ? str_replace(array('>', '<'), array('&gt;', '&lt;'),stripslashes($data[$attr['id']])) : $attr['default_value']));
                     if ($attr['required']) {
                         $output[$attr['id']] .= sprintf('<script language="Javascript" type="text/javascript">addFieldToCheck("%s","%s");</script>',
                             $fieldname, $attr['name']);

diff --git a/public_html/lists/admin/user.php b/public_html/lists/admin/user.php
@@ -270,26 +270,26 @@
     // delete the index in delete
     $_SESSION['action_result'] = s('Deleting').' '.s('Subscriber').' '.s('ID')." $delete ..\n";
     if ($require_login && !isSuperUser()) {
-        // If the user does not permission to permanently delete, delete 
+        // If the user does not permission to permanently delete, delete
         // subscriptoins instead
 
         // Get all lists subscriber is a member of
         $lists = Sql_query("
-            SELECT 
-                listid 
-            FROM 
-                {$tables['listuser']},{$tables['list']} 
-            WHERE 
-                userid = ".$delete." 
-                AND $tables[listuser].listid = $tables[list].id 
-                $subselect 
+            SELECT
+                listid
+            FROM
+                {$tables['listuser']},{$tables['list']}
+            WHERE
+                userid = ".$delete."
+                AND $tables[listuser].listid = $tables[list].id
+                $subselect
         ");
         while ($lst = Sql_fetch_array($lists)) {
             Sql_query("
-                DELETE FROM 
-                    {$tables['listuser']} 
-                WHERE 
-                    userid = $delete 
+                DELETE FROM
+                    {$tables['listuser']}
+                WHERE
+                    userid = $delete
                     AND listid = $lst[0]
             ");
         }
@@ -477,7 +477,7 @@ class="confirm btn btn-default"
         } elseif ($row['type'] == 'textarea') {
             $userdetailsHTML .= sprintf('
            <tr><td valign="top" class="dataname">%s</td><td><textarea name="attribute[%d]" rows="10" cols="40" class="wrap virtual">%s</textarea></td>
-           </tr>', stripslashes($row['name']), $row['id'], htmlspecialchars(stripslashes($row['value'])));
+           </tr>', stripslashes($row['name']), $row['id'], str_replace(array('>', '<'), array('&gt;', '&lt;'), stripslashes($row['value'])));
         } elseif ($row['type'] == 'avatar') {
             $userdetailsHTML .= sprintf('<tr><td valign="top" class="dataname">%s</td><td>',
                 stripslashes($row['name']));
@@ -493,7 +493,7 @@ class="confirm btn btn-default"
                     stripslashes($row['name']), UserAttributeValueSelect($id, $row['id']));
             } else {
                 $userdetailsHTML .= sprintf('<tr><td class="dataname">%s</td><td><input class="attributeinput" type="text" name="attribute[%d]" value="%s" size="30" /></td></tr>'."\n",
-                    $row['name'], $row['id'], htmlspecialchars(stripslashes($row['value'])));
+                    $row['name'], $row['id'], str_replace('"', '&#x22;', stripslashes($row['value'])));
             }
         }
     }