From d9d37d76c66c8bd5cdccba08ea7bbd050d70f408 Mon Sep 17 00:00:00 2001
From: rub <rub@piwigo.org>
Date: Wed, 3 Jan 2007 23:27:32 +0000
Subject: Fixed: HTML vulnerability (Cross Site Scripting). Fixed: All comments
 are displayed on comments.php

git-svn-id: http://piwigo.org/svn/branches/branch-1_6@1695 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 admin/user_list.php |  2 +-
 comments.php        | 14 ++++++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/admin/user_list.php b/admin/user_list.php
index c1e6fac2c..21ba58806 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -485,7 +485,7 @@ $template->assign_vars(
     'U_HELP' => PHPWG_ROOT_PATH.'popuphelp.php?page=user_list',
     
     'F_ADD_ACTION' => $base_url,
-    'F_USERNAME' => @$_GET['username'],
+    'F_USERNAME' => @htmlentities($_GET['username']),
     'F_FILTER_ACTION' => PHPWG_ROOT_PATH.'admin.php'
     ));
 
diff --git a/comments.php b/comments.php
index 28f4bf410..eecf4575e 100644
--- a/comments.php
+++ b/comments.php
@@ -144,6 +144,10 @@ if (isset($_GET['keyword']) and !empty($_GET['keyword']))
     ')';
 }
 
+// Only validated on 1.6.x
+// on 1.7, admin can see all because he can be validated or rejected comments
+$page['status_clause'] = 'validated="true"';
+
 // +-----------------------------------------------------------------------+
 // |                         comments management                           |
 // +-----------------------------------------------------------------------+
@@ -184,8 +188,8 @@ $template->assign_vars(
     'L_COMMENT_TITLE' => $title,
 
     'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
-    'F_KEYWORD'=>@$_GET['keyword'],
-    'F_AUTHOR'=>@$_GET['author'],
+    'F_KEYWORD'=>@htmlentities($_GET['keyword']),
+    'F_AUTHOR'=>@htmlentities($_GET['author']),
 
     'U_HOME' => make_index_url(),
     )
@@ -298,7 +302,8 @@ SELECT COUNT(DISTINCT(id))
   WHERE '.$since_options[$page['since']]['clause'].'
     AND '.$page['cat_clause'].'
     AND '.$page['author_clause'].'
-    AND '.$page['keyword_clause'];
+    AND '.$page['keyword_clause'].'
+    AND '.$page['status_clause'];
 if ($user['forbidden_categories'] != '')
 {
   $query.= '
@@ -340,7 +345,8 @@ SELECT com.id AS comment_id
   WHERE '.$since_options[$page['since']]['clause'].'
     AND '.$page['cat_clause'].'
     AND '.$page['author_clause'].'
-    AND '.$page['keyword_clause'];
+    AND '.$page['keyword_clause'].'
+    AND '.$page['status_clause'];
 if ($user['forbidden_categories'] != '')
 {
   $query.= '
-- 
cgit v1.2.3