Revision 1405
Added by FrankH almost 14 years ago
- Security fix (XSS) in form module, thanks to Michael Schwarz
branches/2.8.x/CHANGELOG | ||
---|---|---|
11 | 11 |
! = Update/Change |
12 | 12 |
|
13 | 13 |
------------------------------------- 2.8.2 ------------------------------------- |
14 |
22 Jan-2011 Build 1405 Frank Heyne (FrankH) |
|
15 |
# Security fix (XSS) in form module, thanks to Michael Schwarz |
|
14 | 16 |
22 Jan-2011 Build 1404 Dietmar Woellbrink (Luisehahne) |
15 | 17 |
# Security fix in pages |
16 | 18 |
22 Jan-2011 Build 1403 Dietmar Woellbrink (Luisehahne) |
... | ... | |
19 | 21 |
! secure peparing and beginning fix admin/pages |
20 | 22 |
21 Jan-2011 Build 1401 Frank Heyne (FrankH) |
21 | 23 |
! fixed changelog |
22 |
#21 Jan-2011 Build 1400 Frank Heyne (FrankH)
|
|
24 |
21 Jan-2011 Build 1400 Frank Heyne (FrankH) |
|
23 | 25 |
# Security fix in account |
24 | 26 |
# Security fix in admin/media, thanks to hal 9000 |
25 | 27 |
21 Jan-2011 Build 1399 Dietmar Woellbrink (Luisehahne) |
branches/2.8.x/wb/admin/interface/version.php | ||
---|---|---|
52 | 52 |
|
53 | 53 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
54 | 54 |
if(!defined('VERSION')) define('VERSION', '2.8.2.RC5'); |
55 |
if(!defined('REVISION')) define('REVISION', '1404');
|
|
55 |
if(!defined('REVISION')) define('REVISION', '1405');
|
|
56 | 56 |
|
57 | 57 |
?> |
branches/2.8.x/wb/admin/preferences/save.php | ||
---|---|---|
30 | 30 |
$err_msg = array(); |
31 | 31 |
$min_pass_length = 6; |
32 | 32 |
// first check form-tan |
33 |
if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['PAGES']['NOT_SAVED']; }
|
|
33 |
if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
|
|
34 | 34 |
// Get entered values and validate all |
35 | 35 |
// remove any dangerouse chars from display_name |
36 | 36 |
$display_name = $admin->add_slashes(strip_tags(trim($admin->get_post('display_name')))); |
branches/2.8.x/wb/modules/form/view.php | ||
---|---|---|
430 | 430 |
} else { |
431 | 431 |
$submitted_by = 0; |
432 | 432 |
} |
433 |
$email_body = $wb->add_slashes($email_body);
|
|
433 |
$email_body = htmlspecialchars($wb->add_slashes($email_body));
|
|
434 | 434 |
$database->query("INSERT INTO ".TABLE_PREFIX."mod_form_submissions (page_id,section_id,submitted_when,submitted_by,body) VALUES ('".PAGE_ID."','$section_id','".time()."','$submitted_by','$email_body')"); |
435 | 435 |
// Make sure submissions table isn't too full |
436 | 436 |
$query_submissions = $database->query("SELECT submission_id FROM ".TABLE_PREFIX."mod_form_submissions ORDER BY submitted_when"); |
Also available in: Unified diff