aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authormistic100 <mistic@piwigo.org>2014-01-23 11:08:22 +0000
committermistic100 <mistic@piwigo.org>2014-01-23 11:08:22 +0000
commit9f266381dbe0180e51546e2ebfa667e0013541eb (patch)
tree034bf21e7cd32b396287a03aee61797b32266dd5 /include
parentd5b3d5dabdcdfff93b8c2b997cf42383c4a58345 (diff)
Merged revision(s) 26916 from trunk:
bug 3029: XSS on website_url comment form git-svn-id: http://piwigo.org/svn/branches/2.6@26919 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
-rw-r--r--include/functions_comment.inc.php2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index f14431cf7..3e0dd0f69 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -147,6 +147,7 @@ SELECT COUNT(*) AS user_exists
// website
if (!empty($comm['website_url']))
{
+ $comm['website_url'] = strip_tags($comm['website_url']);
if (!preg_match('/^https?/i', $comm['website_url']))
{
$comm['website_url'] = 'http://'.$comm['website_url'];
@@ -351,6 +352,7 @@ function update_user_comment($comment, $post_key)
// website
if (!empty($comment['website_url']))
{
+ $comm['website_url'] = strip_tags($comm['website_url']);
if (!preg_match('/^https?/i', $comment['website_url']))
{
$comment['website_url'] = 'http://'.$comment['website_url'];