From 4264055d1e1352395c9c0702198ca099a70bb131 Mon Sep 17 00:00:00 2001
From: garvinhicking <garvinhicking>
Date: Fri, 1 Feb 2008 14:10:14 +0000
Subject: [PATCH]     * Add ability to plugins to check uploaded media files
 for invalid       file extensions. Added more escaping to user- and
 groupnames       for untrusted author environments, thanks to Hanno Boeck.   
    (garvinhicking)

---
 docs/NEWS                                        |  5 +++++
 include/admin/category.inc.php                   |  8 ++++----
 include/admin/comments.inc.php                   |  3 +--
 include/admin/entries.inc.php                    |  4 ++--
 include/admin/entries_overview.inc.php           |  4 ++--
 include/admin/groups.inc.php                     | 14 +++++++-------
 include/admin/installer.inc.php                  |  2 +-
 include/admin/overview.inc.php                   |  2 +-
 include/admin/personal.inc.php                   |  2 +-
 include/admin/users.inc.php                      | 16 ++++++++--------
 include/functions_images.inc.php                 |  9 ++++++++-
 .../serendipity_event_entryproperties.php        |  2 +-
 serendipity_admin.php                            |  2 +-
 13 files changed, 42 insertions(+), 31 deletions(-)

diff --git a/docs/NEWS b/docs/NEWS
index 017b265..fab38df 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,11 @@
 Version 1.3 ()
 ------------------------------------------------------------------------
 
+    * Add ability to plugins to check uploaded media files for invalid
+      file extensions. Added more escaping to user- and groupnames
+      for untrusted author environments, thanks to Hanno Boeck.
+      (garvinhicking)
+
     * Added czech translation to bulletproof templates and bundled
       plugins, by Vlada Ajgl
 
diff --git a/include/admin/category.inc.php b/include/admin/category.inc.php
index 39307f0..ed70a31 100644
--- a/include/admin/category.inc.php
+++ b/include/admin/category.inc.php
@@ -120,9 +120,9 @@ if ($serendipity['GET']['adminAction'] == 'doDelete' && serendipity_checkFormTok
             || (serendipity_checkPermission('adminCategoriesDelete') && ($serendipity['authorid'] == $this_cat['authorid'] || $this_cat['authorid'] == '0'))
             || (serendipity_checkPermission('adminCategoriesDelete') && serendipity_ACLCheck($serendipity['authorid'], $serendipity['GET']['cid'], 'category', 'write'))) {
 ?>
-        <form method="POST" name="serendipityCategory" action="?serendipity[adminModule]=category&amp;serendipity[adminAction]=doDelete&amp;serendipity[cid]=<?php echo $serendipity['GET']['cid'] ?>">
+        <form method="POST" name="serendipityCategory" action="?serendipity[adminModule]=category&amp;serendipity[adminAction]=doDelete&amp;serendipity[cid]=<?php echo (int)$serendipity['GET']['cid'] ?>">
         <?php echo serendipity_setFormToken(); ?>
-            <h3><?php echo $this_cat['category_name']; ?></h3>
+            <h3><?php echo htmlspecialchars($this_cat['category_name']); ?></h3>
             <?php echo CATEGORY_REMAINING ?>:
             <select name="serendipity[cat][remaining_catid]">
                 <option value="0">- <?php echo NO_CATEGORY ?> -</option>
@@ -170,7 +170,7 @@ if ($serendipity['GET']['adminAction'] == 'doDelete' && serendipity_checkFormTok
     <tr>
         <td><?php echo NAME; ?></td>
         <td><input class="input_textbox" type="text" name="serendipity[cat][name]" value="<?php echo isset($this_cat['category_name']) ? htmlspecialchars($this_cat['category_name']) : ''; ?>" /></td>
-        <td rowspan="5" align="center" valign="middle" width="200" style="border: 1px solid #ccc"><img src="<?php echo isset($this_cat['category_icon']) ? $this_cat['category_icon'] : '' ?>" id="imagepreview" <?php echo empty($this_cat['category_icon']) ? 'style="display: none"' : '' ?> /></td>
+        <td rowspan="5" align="center" valign="middle" width="200" style="border: 1px solid #ccc"><img src="<?php echo isset($this_cat['category_icon']) ? htmlspecialchars($this_cat['category_icon']) : '' ?>" id="imagepreview" <?php echo empty($this_cat['category_icon']) ? 'style="display: none"' : '' ?> /></td>
     </tr>
 
     <tr>
@@ -279,7 +279,7 @@ if ( $serendipity['GET']['adminAction'] == 'view' ) {
                 <td width="16"><?php if ( !empty($category['category_icon']) ) {?><img src="<?php echo serendipity_getTemplateFile('admin/img/thumbnail.png') ?>" alt="" /><?php } else echo '&nbsp;' ?></td>
                 <td width="300" style="padding-left: <?php echo ($category['depth']*15)+20 ?>px"><img src="<?php echo serendipity_getTemplateFile('admin/img/folder.png') ?>" style="vertical-align: bottom;"> <?php echo htmlspecialchars($category['category_name']) ?></td>
                 <td><?php echo htmlspecialchars($category['category_description']) ?></td>
-                <td align="right"><?php echo ($category['authorid'] == '0' ? ALL_AUTHORS : $category['realname']); ?></td>
+                <td align="right"><?php echo ($category['authorid'] == '0' ? ALL_AUTHORS : htmlspecialchars($category['realname'])); ?></td>
             </tr>
 <?php           }
             } ?>
diff --git a/include/admin/comments.inc.php b/include/admin/comments.inc.php
index 6f15baf..0f6daa2 100644
--- a/include/admin/comments.inc.php
+++ b/include/admin/comments.inc.php
@@ -16,7 +16,7 @@ $summaryLength = 200;
 if ($serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 && serendipity_checkFormToken()) {
     foreach ( $serendipity['POST']['delete'] as $k => $v ) {
         serendipity_deleteComment($k, $v);
-        echo DONE . ': '. sprintf(COMMENT_DELETED, $k) . '<br />';
+        echo DONE . ': '. sprintf(COMMENT_DELETED, (int)$k) . '<br />';
     }
 }
 
@@ -89,7 +89,6 @@ if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActio
     if ($rs === false) {
         echo ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, (int)$serendipity['GET']['id']);
     } else {
-
         serendipity_approveComment($serendipity['GET']['id'], $rs['entry_id'], true, true);
         echo DONE . ': '. sprintf(COMMENT_MODERATED, (int)$serendipity['GET']['id']);
     }
diff --git a/include/admin/entries.inc.php b/include/admin/entries.inc.php
index 08f3b84..c0a8075 100644
--- a/include/admin/entries.inc.php
+++ b/include/admin/entries.inc.php
@@ -116,7 +116,7 @@ function serendipity_drawList() {
                     $users = serendipity_fetchUsers();
                     if (is_array($users)) {
                         foreach ($users AS $user) {
-                            echo '<option value="' . $user['authorid'] . '" ' . (isset($serendipity['GET']['filter']['author']) && $serendipity['GET']['filter']['author'] == $user['authorid'] ? 'selected="selected"' : '') . '>' . $user['realname'] . '</option>' . "\n";
+                            echo '<option value="' . $user['authorid'] . '" ' . (isset($serendipity['GET']['filter']['author']) && $serendipity['GET']['filter']['author'] == $user['authorid'] ? 'selected="selected"' : '') . '>' . htmlspecialchars($user['realname']) . '</option>' . "\n";
                         }
                     }
 ?>              </select> <select name="serendipity[filter][isdraft]">
@@ -133,7 +133,7 @@ function serendipity_drawList() {
                     $categories = serendipity_fetchCategories();
                     $categories = serendipity_walkRecursive($categories, 'categoryid', 'parentid', VIEWMODE_THREADED);
                     foreach ( $categories as $cat ) {
-                        echo '<option value="'. $cat['categoryid'] .'"'. ($serendipity['GET']['filter']['category'] == $cat['categoryid'] ? ' selected="selected"' : '') .'>'. str_repeat('&nbsp;', $cat['depth']) . $cat['category_name'] .'</option>' . "\n";
+                        echo '<option value="'. $cat['categoryid'] .'"'. ($serendipity['GET']['filter']['category'] == $cat['categoryid'] ? ' selected="selected"' : '') .'>'. str_repeat('&nbsp;', $cat['depth']) . htmlspecialchars($cat['category_name']) .'</option>' . "\n";
                     }
 ?>              </select>
             </td>
diff --git a/include/admin/entries_overview.inc.php b/include/admin/entries_overview.inc.php
index b9a593f..405a4f6 100644
--- a/include/admin/entries_overview.inc.php
+++ b/include/admin/entries_overview.inc.php
@@ -1,12 +1,12 @@
 <?php # $Id$
 # Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)
 # All rights reserved.  See LICENSE file for licensing details
+/* vim: set sts=4 ts=4 expandtab : */
 
 if (IN_serendipity !== true) {
     die ('Don\'t hack!');
 }
 
-echo WELCOME_BACK . ' ' . $_SESSION['serendipityUser'];
+echo WELCOME_BACK . ' ' . htmlspecialchars($_SESSION['serendipityUser']);
 
-/* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/include/admin/groups.inc.php b/include/admin/groups.inc.php
index a85435f..cd84d2a 100644
--- a/include/admin/groups.inc.php
+++ b/include/admin/groups.inc.php
@@ -14,7 +14,7 @@ if (!serendipity_checkPermission('adminUsersGroups')) {
 if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
     $group = serendipity_fetchGroup($serendipity['POST']['group']);
     serendipity_deleteGroup($serendipity['POST']['group']);
-    printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_GROUP . '</div>', $serendipity['POST']['group'], $group['name']);
+    printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_GROUP . '</div>', htmlspecialchars($serendipity['POST']['group']), htmlspecialchars($group['name']));
 }
 
 /* Save new group */
@@ -22,7 +22,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
     $serendipity['POST']['group'] = serendipity_addGroup($serendipity['POST']['name']);
     $perms = serendipity_getAllPermissionNames();
     serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST'], false, $serendipity['POST']['forbidden_plugins'], $serendipity['POST']['forbidden_hooks']);
-    printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_GROUP . '</div>', '#' . $serendipity['POST']['group'] . ', ' . $serendipity['POST']['name']);
+    printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_GROUP . '</div>', '#' . htmlspecialchars($serendipity['POST']['group']) . ', ' . htmlspecialchars($serendipity['POST']['name']));
 }
 
 
@@ -30,7 +30,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
 if (isset($_POST['SAVE_EDIT']) && serendipity_checkFormToken()) {
     $perms = serendipity_getAllPermissionNames();
     serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST'], false, $serendipity['POST']['forbidden_plugins'], $serendipity['POST']['forbidden_hooks']);
-    printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_GROUP . '</div>', $serendipity['POST']['name']);
+    printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_GROUP . '</div>', htmlspecialchars($serendipity['POST']['name']));
 }
 
 if ( $serendipity['GET']['adminAction'] != 'delete' ) {
@@ -57,8 +57,8 @@ foreach($groups as $group) {
 <table width="100%">
     <tr>
         <td><?php echo htmlspecialchars($group['name']); ?></td>
-        <td width="200" align="right"> <a href="?serendipity[adminModule]=groups&amp;serendipity[adminAction]=edit&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo EDIT . " " . $group['name']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . $group['name']; ?>" /><?php echo EDIT ?></a>
-                                       <a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=groups&amp;serendipity[adminAction]=delete&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo DELETE . " " . $group['name']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . $group['name']; ?>" /><?php echo DELETE ?></a></td>
+        <td width="200" align="right"> <a href="?serendipity[adminModule]=groups&amp;serendipity[adminAction]=edit&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo EDIT . " " . htmlspecialchars($group['name']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . htmlspecialchars($group['name']); ?>" /><?php echo EDIT ?></a>
+                                       <a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=groups&amp;serendipity[adminAction]=delete&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo DELETE . " " . htmlspecialchars($group['name']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . htmlspecialchars($group['name']); ?>" /><?php echo DELETE ?></a></td>
     </tr>
 </table>
 </div>
@@ -247,10 +247,10 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
 ?>
 <form action="?serendipity[adminModule]=groups" method="post">
     <div>
-    <?php printf(DELETE_GROUP, $serendipity['GET']['group'], $group['name']); ?>
+    <?php printf(DELETE_GROUP, (int)$serendipity['GET']['group'], htmlspecialchars($group['name'])); ?>
         <br /><br />
         <?php echo serendipity_setFormToken(); ?>
-        <input type="hidden" name="serendipity[group]" value="<?php echo $serendipity['GET']['group']; ?>" />
+        <input type="hidden" name="serendipity[group]" value="<?php echo htmlspecialchars($serendipity['GET']['group']); ?>" />
         <input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton input_button" />
         <input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton input_button" />
     </div>
diff --git a/include/admin/installer.inc.php b/include/admin/installer.inc.php
index 90702a7..32671be 100644
--- a/include/admin/installer.inc.php
+++ b/include/admin/installer.inc.php
@@ -478,7 +478,7 @@ if ( (int)$serendipity['GET']['step'] == 0 ) {
         serendipity_installDatabase();
         echo ' <strong>' . DONE . '</strong><br />';
 
-        echo sprintf(CREATING_PRIMARY_AUTHOR, $_POST['user']) .'...';
+        echo sprintf(CREATING_PRIMARY_AUTHOR, htmlspecialchars($_POST['user'])) .'...';
         $authorid = serendipity_addAuthor($_POST['user'], $_POST['pass'], $_POST['realname'], $_POST['email'], USERLEVEL_ADMIN);
         $mail_comments =  (serendipity_db_bool($_POST['want_mail']) ? 1 : 0);
         serendipity_set_user_var('mail_comments', $mail_comments, $authorid);
diff --git a/include/admin/overview.inc.php b/include/admin/overview.inc.php
index fe1654c..734d88a 100644
--- a/include/admin/overview.inc.php
+++ b/include/admin/overview.inc.php
@@ -11,7 +11,7 @@ $user = serendipity_fetchAuthor($serendipity['authorid']);
 $bookmarklet = "javascript:bm=document.selection?document.selection.createRange().text:document.getSelection();void(newwin=open('" . $serendipity['baseURL'] . "serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new&serendipity[title]='+ escape(document.title) + '&serendipity[body]=' + escape(bm) +'&serendipity[url]=' + escape(location.href), 'new_log_entry','resizable=yes, scrollbars=yes, width=800, height=600, location=yes,status=yes')); newwin.focus();";
 
 $output = array(
-    'welcome'       => WELCOME_BACK . ' ' . $user[0]['realname'],
+    'welcome'       => WELCOME_BACK . ' ' . htmlspecialchars($user[0]['realname']),
     'show_links'    => true,
     'links_title'   => FURTHER_LINKS,
     'bookmarklet'   => $bookmarklet,
diff --git a/include/admin/personal.inc.php b/include/admin/personal.inc.php
index 78d83be..0a27490 100644
--- a/include/admin/personal.inc.php
+++ b/include/admin/personal.inc.php
@@ -94,7 +94,7 @@ if ($serendipity['GET']['adminAction'] == 'save' && serendipity_checkFormToken()
         }
         $from = $_POST;
 ?>
-    <div class="serendipityAdminMsgSuccess"><img width="22px" height="22px" style="border: 0px; padding-right: 4px; vertical-align: middle" src="<?php echo serendipity_getTemplateFile('admin/img/admin_msg_success.png'); ?>" alt="" /><?php echo sprintf(MODIFIED_USER, $_POST['realname']) ?></div>
+    <div class="serendipityAdminMsgSuccess"><img width="22px" height="22px" style="border: 0px; padding-right: 4px; vertical-align: middle" src="<?php echo serendipity_getTemplateFile('admin/img/admin_msg_success.png'); ?>" alt="" /><?php echo sprintf(MODIFIED_USER, htmlspecialchars($_POST['realname'])) ?></div>
 <?php }
 } ?>
 
diff --git a/include/admin/users.inc.php b/include/admin/users.inc.php
index b373f95..540e88c 100644
--- a/include/admin/users.inc.php
+++ b/include/admin/users.inc.php
@@ -25,7 +25,7 @@ if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
         if (serendipity_checkPermission('adminUsersMaintainOthers') ||
             (serendipity_checkPermission('adminUsersMaintainSame') && $group_intersect)) {
             serendipity_deleteAuthor($user[0]['authorid']);
-            printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_USER . '</div>', $serendipity['POST']['user'], $user[0]['realname']);
+            printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_USER . '</div>', htmlspecialchars($serendipity['POST']['user']), htmlspecialchars($user[0]['realname']));
             serendipity_plugin_api::hook_event('backend_users_delete', $user[0]);
         } else {
             echo '<div class="serendipityAdminMsgError"><img style="width: 22px; height: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_error.png') . '" alt="" />' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
@@ -90,7 +90,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
         }
 
         serendipity_plugin_api::hook_event('backend_users_add', $serendipity['POST']['user']);
-        printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_USER . '</div>', '#' . $serendipity['POST']['user'] . ', ' . $_POST['realname']);
+        printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_USER . '</div>', '#' . htmlspecialchars($serendipity['POST']['user']) . ', ' . htmlspecialchars($_POST['realname']));
     }
 }
 
@@ -161,7 +161,7 @@ if (isset($_POST['SAVE_EDIT']) && serendipity_checkFormToken()) {
         serendipity_updatePermalink($pl_data, 'author');
 
         serendipity_plugin_api::hook_event('backend_users_edit', $pl_data);
-        printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_USER . '</div>', $_POST['realname']);
+        printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_USER . '</div>', htmlspecialchars($_POST['realname']));
     }
 }
 
@@ -202,8 +202,8 @@ if (is_array($users)) {
 <?php /* TODO: Add username to list once tom figures out how to fix uneven rowstyles */ ?>
         <td><img src="<?php echo $img ?>" alt="" style="border: 0px none ; vertical-align: bottom; display: inline;" /> <?php echo htmlspecialchars($user['realname']); ?></td>
         <td width="100" align="center"><?php echo $user['userlevel']; ?></td>
-        <td width="200" align="right"> <a href="?serendipity[adminModule]=users&amp;serendipity[adminAction]=edit&amp;serendipity[userid]=<?php echo $user['authorid'] ?>#editform" title="<?php echo EDIT . " " . $user['realname']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . $user['realname']; ?>" /><?php echo EDIT ?></a>
-                                       <a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=users&amp;serendipity[adminAction]=delete&amp;serendipity[userid]=<?php echo $user['authorid'] ?>" title="<?php echo DELETE . " " . $user['realname']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . $user['realname']; ?>" /><?php echo DELETE ?></a></td>
+        <td width="200" align="right"> <a href="?serendipity[adminModule]=users&amp;serendipity[adminAction]=edit&amp;serendipity[userid]=<?php echo $user['authorid'] ?>#editform" title="<?php echo EDIT . " " . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . htmlspecialchars($user['realname']); ?>" /><?php echo EDIT ?></a>
+                                       <a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=users&amp;serendipity[adminAction]=delete&amp;serendipity[userid]=<?php echo $user['authorid'] ?>" title="<?php echo DELETE . " " . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . htmlspecialchars($user['realname']); ?>" /><?php echo DELETE ?></a></td>
     </tr>
 </table>
 </div>
@@ -253,7 +253,7 @@ if ($serendipity['GET']['adminAction'] == 'edit') {
         echo EDIT;
         $from = &$user[0];
         unset($from['password']);
-        echo '<input type="hidden" name="serendipity[user]" value="' . $from['authorid'] . '" />';
+        echo '<input type="hidden" name="serendipity[user]" value="' . (int)$from['authorid'] . '" />';
     } else {
         echo '<strong>' . CREATE_NOT_AUTHORIZED . '</strong><br />';
         echo EDIT;
@@ -294,10 +294,10 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
 ?>
 <form action="?serendipity[adminModule]=users" method="post">
     <div>
-    <?php printf(DELETE_USER, $serendipity['GET']['userid'], $user[0]['realname']); ?>
+    <?php printf(DELETE_USER, (int)$serendipity['GET']['userid'], htmlspecialchars($user[0]['realname'])); ?>
         <br /><br />
         <?php echo serendipity_setFormToken(); ?>
-        <input type="hidden" name="serendipity[user]" value="<?php echo $serendipity['GET']['userid']; ?>" />
+        <input type="hidden" name="serendipity[user]" value="<?php echo (int)$serendipity['GET']['userid']; ?>" />
         <input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton input_button" />
         <input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton input_button" />
     </div>
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index 649ede9..8a8ba2b 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -24,7 +24,14 @@ function serendipity_isActiveFile($file) {
         return true;
     }
 
-    return preg_match('@\.(php[345]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
+    $core = preg_match('@\.(php[345]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
+    if ($core) {
+        return true;
+    }
+    
+    $eventData = false;
+    serendipity_plugin_api::hook_event('backend_media_check', $eventData, $file);
+    return $eventData;
 }
 
 /**
diff --git a/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php b/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
index 87683e7..b28f404 100644
--- a/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
+++ b/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
@@ -380,7 +380,7 @@ class serendipity_event_entryproperties extends serendipity_event
                                 $avail_users =& $this->getValidAuthors();
 
                                 foreach($avail_users AS $user) {
-                                    echo '<option value="' . $user['authorid'] . '" ' . ($selected_user == $user['authorid'] ? ' selected="selected"' : '') . '>' . $user['realname'] . '</option>' . "\n";
+                                    echo '<option value="' . $user['authorid'] . '" ' . ($selected_user == $user['authorid'] ? ' selected="selected"' : '') . '>' . htmlspecialchars($user['realname']) . '</option>' . "\n";
                                 }
                                 ?>
                                 </select>
diff --git a/serendipity_admin.php b/serendipity_admin.php
index 71aa299..7b97cb8 100644
--- a/serendipity_admin.php
+++ b/serendipity_admin.php
@@ -59,7 +59,7 @@ if (defined('IS_up2date') && IS_up2date === true && IS_installed === true) {
 $is_logged_in = serendipity_userLoggedIn();
 
 if ($is_logged_in) {
-    $self_info = sprintf(USER_SELF_INFO, $serendipity['serendipityUser'], $serendipity['permissionLevels'][$serendipity['serendipityUserlevel']]);
+    $self_info = sprintf(USER_SELF_INFO, htmlspecialchars($serendipity['serendipityUser']), $serendipity['permissionLevels'][$serendipity['serendipityUserlevel']]);
 } else {
     $self_info = '';
 }
-- 
2.39.5