diff options
| author | mistic100 <mistic@piwigo.org> | 2014-01-23 11:08:56 +0000 |
|---|---|---|
| committer | mistic100 <mistic@piwigo.org> | 2014-01-23 11:08:56 +0000 |
| commit | 3e09f3ea83f4203cbb7f76fd1b9fb086073a353e (patch) | |
| tree | 0d8d244650e2384a9167d1509034c64cc3a11641 | |
| parent | f4089737e0760e9d790acd34434ba34b561965f9 (diff) | |
Merged revision(s) 26916 from trunk:
bug 3029: XSS on website_url comment form
git-svn-id: http://piwigo.org/svn/branches/2.5@26920 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | include/functions_comment.inc.php | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index dc218a2ff..b0d704798 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -135,6 +135,7 @@ SELECT COUNT(*) AS user_exists // website if (!empty($comm['website_url'])) { + $comm['website_url'] = strip_tags($comm['website_url']); if (!preg_match('/^https?/i', $comm['website_url'])) { $comm['website_url'] = 'http://'.$comm['website_url']; @@ -338,6 +339,7 @@ function update_user_comment($comment, $post_key) // website if (!empty($comment['website_url'])) { + $comm['website_url'] = strip_tags($comm['website_url']); if (!preg_match('/^https?/i', $comment['website_url'])) { $comment['website_url'] = 'http://'.$comment['website_url']; |