Permalink
Browse files

Fix search.php & profile.php XSS

Fixes security vulnerabilities from #17

about encode_text(): _<x>_ is in the code from 2.2.4, documented in
changelog, not sure why (at one point xss protection was interfering
with ajax code, maybe this is why _<x>_ was "necessary")
  • Loading branch information...
Halamix2 committed Jun 17, 2017
1 parent bd9700c commit 0c921225d45d8d0d39e7ad64992fd58191205f03
Showing with 10 additions and 18 deletions.
  1. +2 −2 classes/PostingFunctions.php
  2. +1 −1 profile.php
  3. +7 −15 search.php
@@ -45,7 +45,7 @@ public static function format_text($text,$type='') {
public static function encode_text($text)
{
$string = str_replace(array('<','>','<x>'),array('&lt;','&gt;',''),$text);
$string = htmlspecialchars($text, ENT_QUOTES);
return $string;
}
@@ -376,4 +376,4 @@ public static function geshify($match) {
return strtoupper($language)." Code:<br><div class=\"code_block\">$_geshied</code></div>";
}
}
}
View
@@ -110,7 +110,7 @@
elseif(isset($_POST['avatar']) && $_POST['avatar'] != '') {
$new_av = MiscFunctions::xml_clean($_POST['avatar']);
$ext = pathinfo($new_av, PATHINFO_EXTENSION);
if (!in_array($new_av,$exts) or $ext == "")
if (!in_array($ext,$exts) or $ext == "")
$upload_err = "The avatar is not a valid image file. File must be a gif,jpg, jpeg or png. Avatar has not been updated";
else
$rec['avatar'] = $new_av;
View
@@ -14,7 +14,7 @@
require_once('./includes/header.php');
$posts_tdb = new TdbFunctions(DB_DIR.'/', "posts.tdb");
$sText = '';
if (isset($_GET['q'])) $sText = $_GET['q'];
if (isset($_GET['q'])) $sText = PostingFunctions::encode_text($_GET['q']);
if (!$tdb->is_logged_in()) $_COOKIE["power_env"] = 0;
//build our forum list for selecting which forums to search from
$form_cats = $tdb->listRec("cats", 1);
@@ -62,8 +62,8 @@
MiscFunctions::echoTableFooter(SKIN_DIR);
echo "</form>";
//end form
if (isset($_GET['q']) && trim($_GET['q']) != "" || trim($_GET["q"]) == "" && trim($_GET["user"]) != "") {
$forums = array();
if (isset($_GET['q']) && trim(PostingFunctions::encode_text($_GET['q'])) != "" || trim(PostingFunctions::encode_text($_GET["q"])) == "" && trim(PostingFunctions::encode_text($_GET["user"])) != "") {
$forums = array();
$fRecs = $tdb->listRec("forums", 1);
if ($_GET["forums_req"] == "all") {
for($i = 0, $fmax = count($fRecs); $i < count($fRecs); $i++) {
@@ -76,17 +76,9 @@
}
if (isset($_GET["intopic"])) $intopic = TRUE;
else $intopic = FALSE;
$sText = $_GET['q'];
$sText = str_replace(",", "", $sText);
$sText = str_replace(".", "", $sText);
$sText = str_replace(";", "", $sText);
$sText = str_replace("?", "", $sText);
$sText = str_replace("\"", "", $sText);
$sText = str_replace("\'", "", $sText);
$sText = str_replace("+", "", $sText);
$sText = str_replace("-", "", $sText);
$sText = trim(PostingFunctions::encode_text($_GET['q']));
$words = explode(" ", $sText);
$userParam = $_GET["user"];
$userParam = trim(PostingFunctions::encode_text($_GET["user"]));
$sTopics = array();
foreach($words as $word) {
if ($_GET["req"] == "OR" && $userParam != "") $sTopics[] = "subject?'{$word}'&&user_name='{$userParam}'";
@@ -220,9 +212,9 @@
}
}
}
if (empty($resultTopics) && empty($resultPosts) && isset($_GET["q"]) && strlen(trim($_GET["q"])) > 0) {
if (empty($resultTopics) && empty($resultPosts) && isset($_GET["q"]) && strlen(trim(PostingFunctions::encode_text($_GET["q"]))) > 0) {
echo "<div class='alert'><div class='alert_text'>
<strong>Search failed!</strong></div><div style='padding:4px;'>......No results found......</div></div>";
}
require_once('./includes/footer.php');
?>
?>

0 comments on commit 0c92122

Please sign in to comment.