SECURITY Using JSON instead of serialize() to stringify user data in …

…PageCommentsInterface
silverstripe · Sep 15, 2011 · d15e850 · d15e850
1 parent b5ea2f6
commit d15e850
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/code/sitefeatures/PageCommentInterface.php b/code/sitefeatures/PageCommentInterface.php
@@ -222,7 +222,7 @@ function PostCommentForm() {
 			foreach($fields as $field) {
 				if(!$field instanceof HiddenField) $visibleFields[] = $field->Name();
 			}
-			$form->loadDataFrom(unserialize($cookie), false, $visibleFields);
+			$form->loadDataFrom(Convert::json2array($cookie), false, $visibleFields);
 		}
 
 		return $form;
@@ -272,7 +272,7 @@ function DeleteAllLink() {
  */
 class PageCommentInterface_Form extends Form {
 	function postcomment($data) {
-		Cookie::set("PageCommentInterface_Data", serialize($data));
+		Cookie::set("PageCommentInterface_Data", Convert::raw2json($data));
 
 		// Spam filtering
 		if(SSAkismet::isEnabled()) {
@@ -333,7 +333,7 @@ function postcomment($data) {
 		$comment->write();
 
 		unset($data['Comment']);
-		Cookie::set("PageCommentInterface_Data", serialize($data));
+		Cookie::set("PageCommentInterface_Data", Convert::raw2json($data));
 
 		$moderationMsg = _t('PageCommentInterface_Form.AWAITINGMODERATION', "Your comment has been submitted and is now awaiting moderation.");