Fix of XSS vulnerability in ForumML

Enalean · May 8, 2013 · 16b4c43 · 16b4c43
1 parent 2417abe
commit 16b4c43
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/src/common/layout/TabbedLayout.class.php b/src/common/layout/TabbedLayout.class.php
@@ -21,16 +21,28 @@
 require_once('Layout.class.php');
 class TabbedLayout extends Layout {
 
-
+
+	/**
+     * Codendi html purifier
+     * 
+     * @var	    Codendi_HTMLPurifier    $purifier
+     */
+    var $purifier;
+
+    function __construct($root) {
+        // Parent constructor
+        parent::__construct($root);
+        $this->purifier = Codendi_HTMLPurifier::instance();
+    }
+
 	/**
 	 *	createLinkToUserHome() - Creates a link to a user's home page	
 	 * 
 	 *	@param	string	The user's user_name
 	 *	@param	string	The user's realname
 	 */
-	function createLinkToUserHome($user_name, $realname) {
-        $hp = Codendi_HTMLPurifier::instance();
-		return '<a href="/users/'.$user_name.'/">'. $hp->purify($realname, CODENDI_PURIFIER_CONVERT_HTML) .'</a>';
+	function createLinkToUserHome($user_name, $realname) {        
+        return '<a href="/users/'.$user_name.'/">'. $this->purifier->purify($realname, CODENDI_PURIFIER_CONVERT_HTML) .'</a>';
 	}
 
     function getBodyHeader($params) {
@@ -572,6 +584,7 @@ function getSearchBox() {
             $output .= "\t<INPUT TYPE=\"HIDDEN\" VALUE=\"$atid\" NAME=\"atid\">\n";
         } 
         if ( isset($forum_id) ) {
+            $forum_id = $this->purifier->purify($forum_id, CODENDI_PURIFIER_CONVERT_HTML);
             $output .= "\t<INPUT TYPE=\"HIDDEN\" VALUE=\"$forum_id\" NAME=\"forum_id\">\n";
         } 
         if ( isset($is_bug_page) ) {