]> git.mjollnir.org Git - s9y.git/commitdiff
projects / s9y.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 38959eb)
Now this is one funny XSS discovered by Rasmus:
authorgarvinhicking <garvinhicking>
Thu, 12 May 2005 18:19:28 +0000 (18:19 +0000)
committergarvinhicking <garvinhicking>
Thu, 12 May 2005 18:19:28 +0000 (18:19 +0000)
You could send HTTP Cookie HTML which does not get htmlspecialchar()ed and then exploit the page for yourself only, and no other viewers.

Rare case of a XSS and low-impact, but still not nice when advanced form redirection takes place and you want to XSS exploit a single user :-)

Please test, if anybody is reading this :-D

include/functions_comments.inc.php patch | blob | history

diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 7b3be7d96fd22d91cba44f3303d02648d3e82da5..98697306315e5becfaeb989f0201d2cf63e48fb8 100644 (file)
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -49,13 +49,13 @@ function serendipity_displayCommentForm($id, $url = '', $comments = NULL, $data
       array(
         'commentform_action'         => $url,
         'commentform_id'             => $id,
-        'commentform_name'           => isset($data['name'])     ? $data['name']       : (isset($serendipity['COOKIE']['name'])     ? $serendipity['COOKIE']['name']     : ''),
-        'commentform_email'          => isset($data['email'])    ? $data['email']      : (isset($serendipity['COOKIE']['email'])    ? $serendipity['COOKIE']['email']    : ''),
-        'commentform_url'            => isset($data['url'])      ? $data['url']        : (isset($serendipity['COOKIE']['url'])      ? $serendipity['COOKIE']['url']      : ''),
-        'commentform_remember'       => isset($data['remember']) ? 'checked="checked"' : (isset($serendipity['COOKIE']['remember']) ? $serendipity['COOKIE']['remember'] : ''),
+        'commentform_name'           => isset($data['name'])      ? htmlspecialchars($data['name'])       : (isset($serendipity['COOKIE']['name'])     ? htmlspecialchars($serendipity['COOKIE']['name'])     : ''),
+        'commentform_email'          => isset($data['email'])     ? htmlspecialchars($data['email'])      : (isset($serendipity['COOKIE']['email'])    ? htmlspecialchars($serendipity['COOKIE']['email'])    : ''),
+        'commentform_url'            => isset($data['url'])       ? htmlspecialchars($data['url'])        : (isset($serendipity['COOKIE']['url'])      ? htmlspecialchars($serendipity['COOKIE']['url'])      : ''),
+        'commentform_remember'       => isset($data['remember'])  ? 'checked="checked"'                   : (isset($serendipity['COOKIE']['remember']) ? 'checked="checked"' : ''),
         'commentform_replyTo'        => serendipity_generateCommentList($id, $comments, ((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)),
         'commentform_subscribe'      => isset($data['subscribe']) ? 'checked="checked"' : '',
-        'commentform_data'           => isset($data['comment']) ? $data['comment'] : '',
+        'commentform_data'           => isset($data['comment'])   ? $data['comment'] : '',
         'is_commentform_showToolbar' => $showToolbar,
         'is_allowSubscriptions'      => $serendipity['allowSubscriptions'],
         'is_moderate_comments'       => $moderate_comments,
import of upstream's svn repo, along with my own branches