[interchange-cvs] interchange - heins modified
dist/standard/pages/forum/submit.html
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Thu Sep 22 12:59:07 EDT 2005
User: heins
Date: 2005-09-22 16:59:07 GMT
Modified: dist/standard/pages/forum submit.html
Log:
* Fix scrub() routine to remove security hole found by Neil of Webmaint.
Revision Changes Path
1.4 +6 -1 interchange/dist/standard/pages/forum/submit.html
rev 1.4, prev_rev 1.3
Index: submit.html
===================================================================
RCS file: /var/cvs/interchange/dist/standard/pages/forum/submit.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- submit.html 4 Jun 2005 05:49:40 -0000 1.3
+++ submit.html 22 Sep 2005 16:59:07 -0000 1.4
@@ -48,13 +48,16 @@
my $noscrub;
if(! $type) {
# do nothing
+ $value =~ s/\[/[/g;
}
elsif($type eq '2') {
$value = $Tag->filter('text2html', $value);
+ $value =~ s/\[/[/g;
}
elsif($type eq '4') {
unless ($value =~ m{</\s*xmp\s*>}i) {
$noscrub = 1;
+ $value =~ s/\[//g;
$value = "<XMP>$value</XMP>";
}
}
@@ -77,7 +80,9 @@
<table>
<tr>
<td bgcolor="#eeeeee">
- <B>[cgi name=subject filter=restrict_html]<br>
+ [restrict enable=cgi]
+ <B>[cgi name=subject filter="restrict_html"]<br>
+ [/restrict]
by [either][value fname][or]Guest user[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
</td>
</tr>
More information about the interchange-cvs
mailing list