From 3e09f3ea83f4203cbb7f76fd1b9fb086073a353e Mon Sep 17 00:00:00 2001
From: mistic100 <mistic@piwigo.org>
Date: Thu, 23 Jan 2014 11:08:56 +0000
Subject: Merged revision(s) 26916 from trunk: bug 3029: XSS on website_url
 comment form

git-svn-id: http://piwigo.org/svn/branches/2.5@26920 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/functions_comment.inc.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index dc218a2ff..b0d704798 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -135,6 +135,7 @@ SELECT COUNT(*) AS user_exists
   // website
   if (!empty($comm['website_url']))
   {
+    $comm['website_url'] = strip_tags($comm['website_url']);
     if (!preg_match('/^https?/i', $comm['website_url']))
     {
       $comm['website_url'] = 'http://'.$comm['website_url'];
@@ -338,6 +339,7 @@ function update_user_comment($comment, $post_key)
   // website
   if (!empty($comment['website_url']))
   {
+    $comm['website_url'] = strip_tags($comm['website_url']);
     if (!preg_match('/^https?/i', $comment['website_url']))
     {
       $comment['website_url'] = 'http://'.$comment['website_url'];
-- 
cgit v1.2.3