Project

General

Profile

« Previous | Next » 

Revision 1405

Added by FrankH almost 14 years ago

  1. Security fix (XSS) in form module, thanks to Michael Schwarz

View differences:

branches/2.8.x/CHANGELOG
11 11
! = Update/Change
12 12

  
13 13
------------------------------------- 2.8.2 -------------------------------------
14
22 Jan-2011 Build 1405 Frank Heyne (FrankH)
15
# Security fix (XSS) in form module, thanks to Michael Schwarz 
14 16
22 Jan-2011 Build 1404 Dietmar Woellbrink (Luisehahne)
15 17
# Security fix in pages 
16 18
22 Jan-2011 Build 1403 Dietmar Woellbrink (Luisehahne)
......
19 21
! secure peparing and beginning fix admin/pages
20 22
21 Jan-2011 Build 1401 Frank Heyne (FrankH)
21 23
! fixed changelog
22
#21 Jan-2011 Build 1400 Frank Heyne (FrankH)
24
21 Jan-2011 Build 1400 Frank Heyne (FrankH)
23 25
# Security fix in account 
24 26
# Security fix in admin/media, thanks to hal 9000
25 27
21 Jan-2011 Build 1399 Dietmar Woellbrink (Luisehahne)
branches/2.8.x/wb/admin/interface/version.php
52 52

  
53 53
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54 54
if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
55
if(!defined('REVISION')) define('REVISION', '1404');
55
if(!defined('REVISION')) define('REVISION', '1405');
56 56

  
57 57
?>
branches/2.8.x/wb/admin/preferences/save.php
30 30
	$err_msg = array();
31 31
	$min_pass_length = 6;
32 32
// first check form-tan
33
	if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['PAGES']['NOT_SAVED']; }
33
	if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
34 34
// Get entered values and validate all
35 35
	// remove any dangerouse chars from display_name
36 36
	$display_name     = $admin->add_slashes(strip_tags(trim($admin->get_post('display_name'))));
branches/2.8.x/wb/modules/form/view.php
430 430
					} else {
431 431
						$submitted_by = 0;
432 432
					}
433
					$email_body = $wb->add_slashes($email_body);
433
					$email_body = htmlspecialchars($wb->add_slashes($email_body));
434 434
					$database->query("INSERT INTO ".TABLE_PREFIX."mod_form_submissions (page_id,section_id,submitted_when,submitted_by,body) VALUES ('".PAGE_ID."','$section_id','".time()."','$submitted_by','$email_body')");
435 435
					// Make sure submissions table isn't too full
436 436
					$query_submissions = $database->query("SELECT submission_id FROM ".TABLE_PREFIX."mod_form_submissions ORDER BY submitted_when");

Also available in: Unified diff