Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-04-27 17:59:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix XSS in forum

Browse Source
This commit is contained in:
slawkens 2023-11-27 22:58:24 +01:00
parent d1bc63d07a
commit 55dbade8d5
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
system/pages/forum/new_post.php
View File

@ -33,6 +33,11 @@ if(Forum::canPost($account_logged))
$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0); $smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0); $html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
$saved = false; $saved = false;
if (!superAdmin()) {
$html = 0;
}
if(isset($_REQUEST['quote'])) if(isset($_REQUEST['quote']))
{ {
$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll(); $quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();