Fix possible XSS

diff --git a/docs/NEWS b/docs/NEWS
index 4de155fabd90366dffccc571a0de82c5114dd221..b5330ca088de616e7d6785cbb6289644b14e1ac0 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -150,6 +150,9 @@ Version 0.9 ()
 Version 0.8.3 ()
 ------------------------------------------------------------------------
 
+   * Fixed possible XSS in comment input validation, thanks to 
+     Ilia  Alshanetsky
+
    * XML_RPC: Eliminate path disclosure vulnerabilities by suppressing
      error messages when eval()'ing. Eliminate path disclosure
      vulnerability by catching bogus parameters submitted

diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index e978cdb01f0a4f902c5b19f0057fc0e6df4d3d90..336c4776ea34bc0c4da38480c637e9bf8b76c451 100644 (file)
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -176,7 +176,14 @@ function serendipity_printComments($comments, $parentid = 0, $depth = 0, $trace
             if (!empty($comment['url']) && substr($comment['url'], 0, 7) != 'http://' && substr($comment['url'], 0, 8) != 'https://') {
                 $comment['url'] = 'http://' . $comment['url'];
             }
-
+            
+            if (!empty($comment['url'])) {
+                if (!@parse_url($comment['url'])) {
+                    $comment['url'] = '';
+                }
+                $comment['url'] = htmlspecialchars($comment['url'], ENT_QUOTES);
+            }
+            
             serendipity_plugin_api::hook_event('frontend_display', $comment);
 
             if (isset($comment['no_email']) && $comment['no_email']) {