From 9f266381dbe0180e51546e2ebfa667e0013541eb Mon Sep 17 00:00:00 2001 From: mistic100 Date: Thu, 23 Jan 2014 11:08:22 +0000 Subject: Merged revision(s) 26916 from trunk: bug 3029: XSS on website_url comment form git-svn-id: http://piwigo.org/svn/branches/2.6@26919 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/functions_comment.inc.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index f14431cf7..3e0dd0f69 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -147,6 +147,7 @@ SELECT COUNT(*) AS user_exists // website if (!empty($comm['website_url'])) { + $comm['website_url'] = strip_tags($comm['website_url']); if (!preg_match('/^https?/i', $comm['website_url'])) { $comm['website_url'] = 'http://'.$comm['website_url']; @@ -351,6 +352,7 @@ function update_user_comment($comment, $post_key) // website if (!empty($comment['website_url'])) { + $comm['website_url'] = strip_tags($comm['website_url']); if (!preg_match('/^https?/i', $comment['website_url'])) { $comment['website_url'] = 'http://'.$comment['website_url']; -- cgit v1.2.3