Fix possible XSS

diff --git a/docs/NEWS b/docs/NEWS
index 5701e1c371987a7b1ba18f02a52238b7e987ce2c..e0eadcfb2bac0dc91f3d5bd5332473a56fd91657 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,11 +3,8 @@
 Version 0.8.3 ()
 ------------------------------------------------------------------------
 
-   * XML_RPC: Eliminate path disclosure vulnerabilities by suppressing
-     error messages when eval()'ing. Eliminate path disclosure
-     vulnerability by catching bogus parameters submitted
-     to XML_RPC_Value::serializeval(). (nohn)
-
+   * Fixed possible XSS in comment input validation, thanks to 
+     Ilia  Alshanetsky
 
 Version 0.8.2 (June 29th, 2005)
 ------------------------------------------------------------------------

diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 027f956f10cf70447d320f5b797d574feb763e0f..62130941d276e24aac8982d1cf46049a4f3b2fe1 100644 (file)
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -177,6 +177,13 @@ function serendipity_printComments($comments, $parentid = 0, $depth = 0, $trace
                 $comment['url'] = 'http://' . $comment['url'];
             }
 
+            if (!empty($comment['url'])) {
+                if (!@parse_url($comment['url'])) {
+                    $comment['url'] = '';
+                }
+                $comment['url'] = htmlspecialchars($comment['url'], ENT_QUOTES);
+            }
+
             serendipity_plugin_api::hook_event('frontend_display', $comment);
 
             if (isset($comment['no_email']) && $comment['no_email']) {