From bbf0c8de24ad8210142fbfa81d6039034287c07b Mon Sep 17 00:00:00 2001 From: garvinhicking Date: Thu, 12 May 2005 18:19:28 +0000 Subject: [PATCH] Now this is one funny XSS discovered by Rasmus: You could send HTTP Cookie HTML which does not get htmlspecialchar()ed and then exploit the page for yourself only, and no other viewers. Rare case of a XSS and low-impact, but still not nice when advanced form redirection takes place and you want to XSS exploit a single user :-) Please test, if anybody is reading this :-D --- include/functions_comments.inc.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php index 7b3be7d..9869730 100644 --- a/include/functions_comments.inc.php +++ b/include/functions_comments.inc.php @@ -49,13 +49,13 @@ function serendipity_displayCommentForm($id, $url = '', $comments = NULL, $data array( 'commentform_action' => $url, 'commentform_id' => $id, - 'commentform_name' => isset($data['name']) ? $data['name'] : (isset($serendipity['COOKIE']['name']) ? $serendipity['COOKIE']['name'] : ''), - 'commentform_email' => isset($data['email']) ? $data['email'] : (isset($serendipity['COOKIE']['email']) ? $serendipity['COOKIE']['email'] : ''), - 'commentform_url' => isset($data['url']) ? $data['url'] : (isset($serendipity['COOKIE']['url']) ? $serendipity['COOKIE']['url'] : ''), - 'commentform_remember' => isset($data['remember']) ? 'checked="checked"' : (isset($serendipity['COOKIE']['remember']) ? $serendipity['COOKIE']['remember'] : ''), + 'commentform_name' => isset($data['name']) ? htmlspecialchars($data['name']) : (isset($serendipity['COOKIE']['name']) ? htmlspecialchars($serendipity['COOKIE']['name']) : ''), + 'commentform_email' => isset($data['email']) ? htmlspecialchars($data['email']) : (isset($serendipity['COOKIE']['email']) ? htmlspecialchars($serendipity['COOKIE']['email']) : ''), + 'commentform_url' => isset($data['url']) ? htmlspecialchars($data['url']) : (isset($serendipity['COOKIE']['url']) ? htmlspecialchars($serendipity['COOKIE']['url']) : ''), + 'commentform_remember' => isset($data['remember']) ? 'checked="checked"' : (isset($serendipity['COOKIE']['remember']) ? 'checked="checked"' : ''), 'commentform_replyTo' => serendipity_generateCommentList($id, $comments, ((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)), 'commentform_subscribe' => isset($data['subscribe']) ? 'checked="checked"' : '', - 'commentform_data' => isset($data['comment']) ? $data['comment'] : '', + 'commentform_data' => isset($data['comment']) ? $data['comment'] : '', 'is_commentform_showToolbar' => $showToolbar, 'is_allowSubscriptions' => $serendipity['allowSubscriptions'], 'is_moderate_comments' => $moderate_comments, -- 2.39.5