From: garvinhicking Date: Mon, 9 May 2005 13:03:20 +0000 (+0000) Subject: possible xss for shoutbox/templatedropdown, X-Git-Tag: 0.9~476 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=5134fb203f6853595fd185ff9f1067ddfe1cb6f2;p=s9y.git possible xss for shoutbox/templatedropdown, fix author pagination --- diff --git a/docs/NEWS b/docs/NEWS index 7c530a5..5691784 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,6 +3,11 @@ Version 0.9 () ------------------------------------------------------------------------ + * Fix possible XSS when using the templatedropdown or shoutbox + plugins (garvinhicking) + + * Fix pagination of "Entries by Author" (garvinhicking) + * Fix RSS 1.0 missing top-level namespace (garvinhicking) * Added new event hook to the trackback sending facility so that diff --git a/include/functions.inc.php b/include/functions.inc.php index 5bf13d7..b154344 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -657,7 +657,7 @@ function serendipity_currentURL() { $url = $serendipity['serendipityHTTPPath'] . $serendipity['indexFile'] . '?' . $uri['path'] . $qst; $url = str_replace($serendipity['indexFile'] . '&', '', $url); // Kill possible looped repitions which could occur - return $url; + return strip_tags($url); } function serendipity_getUriArguments($uri, $wildcard = false) { diff --git a/index.php b/index.php index a38b276..6b130e1 100644 --- a/index.php +++ b/index.php @@ -250,6 +250,20 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range include_once(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); } else if (preg_match(PAT_AUTHORS, $uri, $matches)) { + $_args = $serendipity['uriArguments']; + + /* Attempt to locate hidden variables within the URI */ + foreach ($_args as $k => $v){ + if ($v == PATH_AUTHORS) { + continue; + } + if ($v{0} == 'P') { /* Page */ + $serendipity['GET']['page'] = substr($v, 1); + unset($_args[$k]); + unset($serendipity['uriArguments'][$k]); + } + } + $serendipity['GET']['viewAuthor'] = $matches[1]; $serendipity['GET']['action'] = 'read';