Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-10-20 12:33:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix XSS in forum

Browse Source
This commit is contained in:
slawkens
2025-01-08 23:29:34 +01:00
parent 19d3e15c11
commit 580b888b1d
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
system/pages/forum/new_post.php
View File

@@ -24,7 +24,7 @@ if(Forum::canPost($account_logged))
if(isset($thread['id']) && Forum::hasAccess($thread['section']))
{
echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.htmlspecialchars($thread['post_topic']).'</a> >> <b>Post new reply</b><br /><h3>'.htmlspecialchars($thread['post_topic']).'</h3>';
$quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL;
$text = isset($_REQUEST['text']) ? stripslashes(trim($_REQUEST['text'])) : NULL;
@@ -37,7 +37,7 @@ if(Forum::canPost($account_logged))
if (!superAdmin()) {
$html = 0;
}
if(isset($_REQUEST['quote']))
{
$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();