Index: trunk/CHANGELOG =================================================================== --- trunk/CHANGELOG (revision 655) +++ trunk/CHANGELOG (revision 656) @@ -14,6 +14,7 @@ 01-Feb-2008 Christian Sommer # Added default index.php to all folders to prevent directory spoofing 01-Feb-2008 Thomas Hornik +# Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF']. # Fixed possible XSS-vulnerability in wb/search/search.php 31-Jan-2008 Thomas Hornik ! Adjusted clock-red icon to match wb colors Index: trunk/wb/include/captcha/captchas/text.php =================================================================== --- trunk/wb/include/captcha/captchas/text.php (revision 655) +++ trunk/wb/include/captcha/captchas/text.php (revision 656) @@ -39,7 +39,7 @@ $table = TABLE_PREFIX.'mod_captcha_control'; if($query = $database->query("SELECT ct_text FROM $table")) { $data = $query->fetchRow(); - $text_qa = $admin->strip_slashes($data['ct_text']); + $text_qa = $data['ct_text']; } $content = explode("\n", $text_qa); @@ -47,7 +47,6 @@ while($s = current($content)) { // get question $s=trim(rtrim(rtrim($s,"\n"),"\r")); // remove newline - $s=$admin->strip_slashes($s); if($s=='' OR $s{0}!='?') { next($content); continue; @@ -66,7 +65,6 @@ // get answer $s=next($content); $s=trim(rtrim(rtrim($s,"\n"),"\r")); // remove newline - $s=$admin->strip_slashes($s); if(isset($s{0}) && $s{0}=='!') { $a=substr($s,1); $qa[$lang][$q]=$a; Index: trunk/wb/admin/groups/save.php =================================================================== --- trunk/wb/admin/groups/save.php (revision 655) +++ trunk/wb/admin/groups/save.php (revision 656) @@ -40,7 +40,7 @@ } // Gather details entered -$group_name = $admin->get_post('group_name'); +$group_name = $admin->get_post_escaped('group_name'); // Create a javascript back link $js_back = "javascript: history.go(-1);"; Index: trunk/wb/admin/groups/groups.php =================================================================== --- trunk/wb/admin/groups/groups.php (revision 655) +++ trunk/wb/admin/groups/groups.php (revision 656) @@ -30,7 +30,7 @@ // Create new database object $database = new database(); -if(!isset($_POST['action']) OR $_POST['action'] != "modify" AND $_POST['action'] != "delete") { +if(!isset($_POST['action']) OR ($_POST['action'] != "modify" AND $_POST['action'] != "delete")) { header("Location: index.php"); exit(0); } Index: trunk/wb/admin/pages/sections_save.php =================================================================== --- trunk/wb/admin/pages/sections_save.php (revision 655) +++ trunk/wb/admin/pages/sections_save.php (revision 656) @@ -106,8 +106,8 @@ } if($sql != '') $sql .= ","; - $sql .= " publ_start = '".$publ_start."'"; - $sql .= ", publ_end = '".$publ_end."'"; + $sql .= " publ_start = '".$admin->add_slashes($publ_start)."'"; + $sql .= ", publ_end = '".$admin->add_slashes($publ_end)."'"; } $query = "UPDATE ".TABLE_PREFIX."sections SET $sql WHERE section_id = '$section_id' LIMIT 1"; if($sql != '') { Index: trunk/wb/admin/pages/settings2.php =================================================================== --- trunk/wb/admin/pages/settings2.php (revision 655) +++ trunk/wb/admin/pages/settings2.php (revision 656) @@ -41,20 +41,20 @@ // Get values $page_title = $admin->get_post_escaped('page_title'); -$page_title = my_htmlspecialchars($page_title); +$page_title = htmlspecialchars($page_title); $menu_title = $admin->get_post_escaped('menu_title'); -$menu_title = my_htmlspecialchars($menu_title); -$description = my_htmlspecialchars($admin->add_slashes($admin->get_post('description'))); -$keywords = my_htmlspecialchars($admin->add_slashes($admin->get_post('keywords'))); -$parent = $admin->get_post('parent'); -$visibility = $admin->get_post('visibility'); -$template = $admin->get_post('template'); -$target = $admin->get_post('target'); -$admin_groups = $admin->get_post('admin_groups'); -$viewing_groups = $admin->get_post('viewing_groups'); -$searching = $admin->get_post('searching'); -$language = $admin->get_post('language'); -$menu = $admin->get_post('menu'); +$menu_title = htmlspecialchars($menu_title); +$description = htmlspecialchars($admin->add_slashes($admin->get_post('description'))); +$keywords = htmlspecialchars($admin->add_slashes($admin->get_post('keywords'))); +$parent = $admin->get_post_escaped('parent'); +$visibility = $admin->get_post_escaped('visibility'); +$template = $admin->get_post_escaped('template'); +$target = $admin->get_post_escaped('target'); +$admin_groups = $admin->get_post_escaped('admin_groups'); +$viewing_groups = $admin->get_post_escaped('viewing_groups'); +$searching = $admin->get_post_escaped('searching'); +$language = $admin->get_post_escaped('language'); +$menu = $admin->get_post_escaped('menu'); // Validate data if($page_title == '' || substr($page_title,0,1)=='.') { Index: trunk/wb/admin/pages/sections.php =================================================================== --- trunk/wb/admin/pages/sections.php (revision 655) +++ trunk/wb/admin/pages/sections.php (revision 656) @@ -70,7 +70,7 @@ } } elseif(isset($_POST['module']) AND $_POST['module'] != '') { // Get section info - $module = $_POST['module']; + $module = $admin->add_slashes($_POST['module']); // Include the ordering class require(WB_PATH.'/framework/class.order.php'); // Get new order Index: trunk/wb/admin/users/save.php =================================================================== --- trunk/wb/admin/users/save.php (revision 655) +++ trunk/wb/admin/users/save.php (revision 656) @@ -40,15 +40,15 @@ } // Gather details entered -$groups_id = (isset($_POST['groups'])) ? $groups_id = implode(",", $_POST['groups']) : ''; -$active = $_POST['active'][0]; -$username_fieldname = $admin->get_post('username_fieldname'); -$username = strtolower($admin->get_post($username_fieldname)); +$groups_id = (isset($_POST['groups'])) ? implode(",", $admin->add_slashes($_POST['groups'])) : ''; +$active = $admin->add_slashes($_POST['active'][0]); +$username_fieldname = $admin->get_post_escaped('username_fieldname'); +$username = strtolower($admin->get_post_escaped($username_fieldname)); $password = $admin->get_post('password'); $password2 = $admin->get_post('password2'); -$display_name = $admin->get_post('display_name'); -$email = $admin->get_post('email'); -$home_folder = $admin->get_post('home_folder'); +$display_name = $admin->get_post_escaped('display_name'); +$email = $admin->get_post_escaped('email'); +$home_folder = $admin->get_post_escaped('home_folder'); // Create a javascript back link $js_back = "javascript: history.go(-1);"; Index: trunk/wb/admin/users/users.php =================================================================== --- trunk/wb/admin/users/users.php (revision 655) +++ trunk/wb/admin/users/users.php (revision 656) @@ -30,7 +30,7 @@ // Create new database object $database = new database(); -if(!isset($_POST['action']) OR $_POST['action'] != "modify" AND $_POST['action'] != "delete") { +if(!isset($_POST['action']) OR ($_POST['action'] != "modify" AND $_POST['action'] != "delete")) { header("Location: index.php"); exit(0); } Index: trunk/wb/admin/users/add.php =================================================================== --- trunk/wb/admin/users/add.php (revision 655) +++ trunk/wb/admin/users/add.php (revision 656) @@ -32,15 +32,15 @@ $database = new database(); // Get details entered -$groups_id = implode(",", $_POST['groups']); //should check permissions -$active = $_POST['active'][0]; -$username_fieldname = $admin->get_post('username_fieldname'); -$username = strtolower($admin->get_post($username_fieldname)); +$groups_id = implode(",", $admin->add_slashes($_POST['groups'])); //should check permissions +$active = $admin->add_slashes($_POST['active'][0]); +$username_fieldname = $admin->get_post_escaped('username_fieldname'); +$username = strtolower($admin->get_post_escaped($username_fieldname)); $password = $admin->get_post('password'); $password2 = $admin->get_post('password2'); -$display_name = $admin->get_post('display_name'); -$email = $admin->get_post('email'); -$home_folder = $admin->get_post('home_folder'); +$display_name = $admin->get_post_escaped('display_name'); +$email = $admin->get_post_escaped('email'); +$home_folder = $admin->get_post_escaped('home_folder'); $default_language = DEFAULT_LANGUAGE; // Create a javascript back link Index: trunk/wb/admin/modules/uninstall.php =================================================================== --- trunk/wb/admin/modules/uninstall.php (revision 655) +++ trunk/wb/admin/modules/uninstall.php (revision 656) @@ -23,12 +23,17 @@ */ +// Setup admin object +require('../../config.php'); +require_once(WB_PATH.'/framework/class.admin.php'); +$admin = new admin('Addons', 'modules_uninstall'); + // Check if user selected module if(!isset($_POST['file']) OR $_POST['file'] == "") { header("Location: index.php"); exit(0); } else { - $file = $_POST['file']; + $file = $admin->add_slashes($_POST['file']); } // Extra protection @@ -37,11 +42,6 @@ exit(0); } -// Setup admin object -require('../../config.php'); -require_once(WB_PATH.'/framework/class.admin.php'); -$admin = new admin('Addons', 'modules_uninstall'); - // Include the WB functions file require_once(WB_PATH.'/framework/functions.php'); Index: trunk/wb/admin/modules/details.php =================================================================== --- trunk/wb/admin/modules/details.php (revision 655) +++ trunk/wb/admin/modules/details.php (revision 656) @@ -27,12 +27,16 @@ require('../../config.php'); require_once(WB_PATH .'/framework/functions.php'); +// Print admin header +require_once(WB_PATH.'/framework/class.admin.php'); +$admin = new admin('Addons', 'modules_view'); + // Get module name if(!isset($_POST['file']) OR $_POST['file'] == "") { header("Location: index.php"); exit(0); } else { - $file = $_POST['file']; + $file = $admin->add_slashes($_POST['file']); } // Check if the module exists @@ -41,10 +45,6 @@ exit(0); } -// Print admin header -require_once(WB_PATH.'/framework/class.admin.php'); -$admin = new admin('Addons', 'modules_view'); - // Setup module object $template = new Template(ADMIN_PATH.'/modules'); $template->set_file('page', 'details.html'); Index: trunk/wb/admin/admintools/tool.php =================================================================== --- trunk/wb/admin/admintools/tool.php (revision 655) +++ trunk/wb/admin/admintools/tool.php (revision 656) @@ -35,7 +35,7 @@ } // Check if tool is installed -$result = $database->query("SELECT * FROM ".TABLE_PREFIX."addons WHERE type = 'module' AND function = 'tool' AND directory = '".$_GET['tool']."'"); +$result = $database->query("SELECT * FROM ".TABLE_PREFIX."addons WHERE type = 'module' AND function = 'tool' AND directory = '".$admin->add_slashes($_GET['tool'])."'"); if($result->numRows() == 0) { header("Location: index.php"); exit(0); Index: trunk/wb/account/details.php =================================================================== --- trunk/wb/account/details.php (revision 655) +++ trunk/wb/account/details.php (revision 656) @@ -30,10 +30,10 @@ // Get entered values $display_name = $wb->add_slashes(strip_tags($wb->get_post('display_name'))); -$language = $wb->get_post('language'); -$timezone = $wb->get_post('timezone')*60*60; -$date_format = $wb->get_post('date_format'); -$time_format = $wb->get_post('time_format'); +$language = $wb->get_post_escaped('language'); +$timezone = $wb->get_post_escaped('timezone')*60*60; +$date_format = $wb->get_post_escaped('date_format'); +$time_format = $wb->get_post_escaped('time_format'); // Create a javascript back link $js_back = "javascript: history.go(-1);"; Index: trunk/wb/account/signup2.php =================================================================== --- trunk/wb/account/signup2.php (revision 655) +++ trunk/wb/account/signup2.php (revision 656) @@ -37,8 +37,8 @@ // Get details entered $group_id = FRONTEND_SIGNUP; $active = 1; -$username = strtolower($wb->add_slashes(strip_tags($wb->get_post('username')))); -$display_name = $wb->add_slashes(strip_tags($wb->get_post('display_name'))); +$username = strtolower(strip_tags($wb->get_post_escaped('username'))); +$display_name = strip_tags($wb->get_post_escaped('display_name')); $email = $wb->get_post('email'); // Create a javascript back link @@ -94,7 +94,7 @@ } // Check if the email already exists -$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE email = '$email'"); +$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE email = '$wb->add_slashes($email'"); if($results->numRows() > 0) { if(isset($MESSAGE['USERS']['EMAIL_TAKEN'])) { $wb->print_error($MESSAGE['USERS']['EMAIL_TAKEN'], $js_back, false); Index: trunk/wb/framework/class.admin.php =================================================================== --- trunk/wb/framework/class.admin.php (revision 655) +++ trunk/wb/framework/class.admin.php (revision 656) @@ -101,7 +101,7 @@ $view_url = WB_URL; if(isset($_GET['page_id'])) { // extract page link from the database - $result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) $_GET['page_id'] ."'"); + $result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) addslashes($_GET['page_id']) ."'"); $row = @$result->fetchRow(); if($row) $view_url .= PAGES_DIRECTORY .$row['link']. PAGE_EXTENSION; } @@ -311,7 +311,7 @@ if(isset($_GET['tool'])) { // check if displayed page contains a installed admin tool $result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons - WHERE type = 'module' AND function = 'tool' AND directory = '".$_GET['tool']."'"); + WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'"); if($result->numRows()) { // check if admin tool directory contains a backend.js or backend.css file to include @@ -323,7 +323,7 @@ } } elseif(isset($_GET['page_id'])) { // check if displayed page in the backend contains a page module - $page_id = (int) $_GET['page_id']; + $page_id = (int) addslashes($_GET['page_id']); // gather information for all models embedded on actual page $query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections Index: trunk/wb/framework/class.wb.php =================================================================== --- trunk/wb/framework/class.wb.php (revision 655) +++ trunk/wb/framework/class.wb.php (revision 656) @@ -137,6 +137,9 @@ } // Ditto for stripslashes + // Attn: this is _not_ the counterpart to $this->add_slashes() ! + // Use stripslashes() to undo a preliminarily done $this->add_slashes() + // The purpose of $this->strip_slashes() is to undo the effects of magic_quotes_gpc==On function strip_slashes($input) { if ( !get_magic_quotes_gpc() || ( !is_string($input) ) ) { return $input; Index: trunk/wb/search/search.php =================================================================== --- trunk/wb/search/search.php (revision 655) +++ trunk/wb/search/search.php (revision 656) @@ -127,8 +127,7 @@ $string = $wb->strip_slashes($string); $string = htmlspecialchars($string); $search_display_string = $string; - // do really addslashes() - $string = $wb->add_slashes($string); + $string = addslashes($string); // remove some bad chars $string = preg_replace("/(^|\s+)([.])+(?=\s+|$)/", "", $string); // mySQL needs four backslashes to match one in LIKE comparisons) Index: trunk/wb/search/index.php =================================================================== --- trunk/wb/search/index.php (revision 655) +++ trunk/wb/search/index.php (revision 656) @@ -51,7 +51,7 @@ unset($template); //Get the referrer page ID if it exists -if(isset($_REQUEST['referrer']) && intval($_REQUEST['referrer']) > 0) { +if(isset($_REQUEST['referrer']) && is_numeric($_REQUEST['referrer']) && intval($_REQUEST['referrer']) > 0) { define('REFERRER_ID', intval($_REQUEST['referrer'])); } else { define('REFERRER_ID', 0); Index: trunk/wb/modules/wrapper/save.php =================================================================== --- trunk/wb/modules/wrapper/save.php (revision 655) +++ trunk/wb/modules/wrapper/save.php (revision 656) @@ -31,12 +31,11 @@ // Update the mod_wrapper table with the contents if(isset($_POST['url'])) { - $url = $admin->add_slashes($_POST['url']); + $url = $admin->add_slashes(strip_tags($_POST['url'])); $height = $_POST['height']; if(!is_numeric($height)) { $height = 400; } - $database = new database(); $query = "UPDATE ".TABLE_PREFIX."mod_wrapper SET url = '$url', height = '$height' WHERE section_id = '$section_id'"; $database->query($query); } Index: trunk/wb/modules/menu_link/save.php =================================================================== --- trunk/wb/modules/menu_link/save.php (revision 655) +++ trunk/wb/modules/menu_link/save.php (revision 656) @@ -31,9 +31,9 @@ // Update id, anchor and target if(isset($_POST['page_link'])) { - $foreign_page_id = $_POST['page_link']; - $page_target = $_POST['page_target']; - $url_target = $_POST['target']; + $foreign_page_id = $admin->add_slashes($_POST['page_link']); + $page_target = $admin->add_slashes($_POST['page_target']); + $url_target = $admin->add_slashes($_POST['target']); $table_pages = TABLE_PREFIX.'pages'; $table_mod = TABLE_PREFIX.'mod_menu_link'; Index: trunk/wb/modules/captcha_control/tool.php =================================================================== --- trunk/wb/modules/captcha_control/tool.php (revision 655) +++ trunk/wb/modules/captcha_control/tool.php (revision 656) @@ -52,10 +52,9 @@ "); // save text-captchas - if($_POST['captcha_type'] == 'text') { // ct_text - $text_qa=$_POST['text_qa']; + if($captcha_type == 'text') { // ct_text + $text_qa=$admin->add_slashes($_POST['text_qa']); if(strpos($text_qa, '### example ###') === FALSE) { - $text_qa=$admin->add_slashes($text_qa); $database->query("UPDATE $table SET ct_text = '$text_qa'"); } } @@ -76,7 +75,7 @@ $text_qa=''; if($query = $database->query("SELECT ct_text FROM $table")) { $data = $query->fetchRow(); - $text_qa = $admin->strip_slashes($data['ct_text']); + $text_qa = $data['ct_text']; } if($text_qa == '') $text_qa = $MOD_CAPTCHA_CONTROL['CAPTCHA_TEXT_DESC']; @@ -125,7 +124,7 @@ $data = $query->fetchRow(); $enabled_captcha = $data['enabled_captcha']; $enabled_asp = $data['enabled_asp']; - $captcha_type = $admin->strip_slashes($data['captcha_type']); + $captcha_type = $data['captcha_type']; } else { // something went wrong, use dummy value $enabled_captcha = '1'; Index: trunk/wb/modules/form/edit_css.php =================================================================== --- trunk/wb/modules/form/edit_css.php (revision 655) +++ trunk/wb/modules/form/edit_css.php (revision 656) @@ -93,7 +93,7 @@ } ?> -
+ Index: trunk/wb/modules/form/save_field.php =================================================================== --- trunk/wb/modules/form/save_field.php (revision 655) +++ trunk/wb/modules/form/save_field.php (revision 656) @@ -36,7 +36,6 @@ exit(0); } else { $field_id = $_POST['field_id']; - $field_id = $field_id; } // Include WB admin wrapper script @@ -48,8 +47,8 @@ $admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/form/modify_field.php?page_id='.$page_id.'§ion_id='.$section_id.'&field_id='.$field_id); } else { $title = $admin->add_slashes($admin->get_post('title')); - $type = $admin->get_post('type'); - $required = $admin->get_post('required'); + $type = $admin->add_slashes($admin->get_post('type')); + $required = $admin->add_slashes($admin->get_post('required')); } $value = ''; Index: trunk/wb/modules/form/view.php =================================================================== --- trunk/wb/modules/form/view.php (revision 655) +++ trunk/wb/modules/form/view.php (revision 656) @@ -124,7 +124,7 @@ // Add form starter code ?> - + add_slashes($_POST[$email_from]); + $email_from = htmlspecialchars($wb->add_slashes($_POST[$email_from])); } $email_fromname = $fetch_settings['email_fromname']; $email_subject = $fetch_settings['email_subject']; @@ -346,7 +346,7 @@ $success_email_to = $fetch_settings['success_email_to']; if(substr($success_email_to, 0, 5) == 'field') { // Set the success_email to field to what the user entered in the specified field - $success_email_to = $wb->add_slashes($_POST[$success_email_to]); + $success_email_to = htmlspecialchars($wb->add_slashes($_POST[$success_email_to])); } $success_email_from = $fetch_settings['success_email_from']; $success_email_fromname = $fetch_settings['success_email_fromname']; @@ -384,7 +384,7 @@ // Add to message body if($field['type'] != '') { if(!empty($_POST['field'.$field['field_id']])) { - if(isset($captcha_error)) $_SESSION['field'.$field['field_id']] = $_POST['field'.$field['field_id']]; + if(isset($captcha_error)) $_SESSION['field'.$field['field_id']] = htmlspecialchars($_POST['field'.$field['field_id']]); if($field['type'] == 'email' AND $admin->validate_email($_POST['field'.$field['field_id']]) == false) { $email_error = $MESSAGE['USERS']['INVALID_EMAIL']; } Index: trunk/wb/modules/form/save_settings.php =================================================================== --- trunk/wb/modules/form/save_settings.php (revision 655) +++ trunk/wb/modules/form/save_settings.php (revision 656) @@ -41,7 +41,7 @@ $field_loop = $admin->add_slashes($_POST['field_loop']); $footer = $admin->add_slashes($_POST['footer']); $email_to = $admin->add_slashes($_POST['email_to']); -$use_captcha = $_POST['use_captcha']; +$use_captcha = $admin->add_slashes($_POST['use_captcha']); if($_POST['email_from_field'] == '') { $email_from = $admin->add_slashes($_POST['email_from']); } else { @@ -49,7 +49,7 @@ } $email_fromname = $admin->add_slashes($_POST['email_fromname']); $email_subject = $admin->add_slashes($_POST['email_subject']); -$success_page = $_POST['success_page']; +$success_page = $admin->add_slashes($_POST['success_page']); $success_email_to = $admin->add_slashes($_POST['success_email_to']); $success_email_from = $admin->add_slashes($_POST['success_email_from']); $success_email_fromname = $admin->add_slashes($_POST['success_email_fromname']); Index: trunk/wb/modules/code/save.php =================================================================== --- trunk/wb/modules/code/save.php (revision 655) +++ trunk/wb/modules/code/save.php (revision 656) @@ -33,7 +33,6 @@ if(isset($_POST['content'])) { $tags = array('' , 'add_slashes(str_replace($tags, '', $_POST['content'])); - $database = new database(); $query = "UPDATE ".TABLE_PREFIX."mod_code SET content = '$content' WHERE section_id = '$section_id'"; $database->query($query); } Index: trunk/wb/modules/news/edit_css.php =================================================================== --- trunk/wb/modules/news/edit_css.php (revision 655) +++ trunk/wb/modules/news/edit_css.php (revision 656) @@ -93,7 +93,7 @@ } ?> - + Index: trunk/wb/modules/news/save_group.php =================================================================== --- trunk/wb/modules/news/save_group.php (revision 655) +++ trunk/wb/modules/news/save_group.php (revision 656) @@ -44,8 +44,8 @@ if($admin->get_post('title') == '') { $admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/news/modify_group.php?page_id='.$page_id.'§ion_id='.$section_id.'&group_id='.$group_id); } else { - $title = $admin->add_slashes($admin->get_post('title')); - $active = $admin->get_post('active'); + $title = $admin->get_post_escaped('title'); + $active = $admin->get_post_escaped('active'); } // Update row Index: trunk/wb/modules/news/view.php =================================================================== --- trunk/wb/modules/news/view.php (revision 655) +++ trunk/wb/modules/news/view.php (revision 656) @@ -167,7 +167,7 @@ if($query_extra != '') { ?>
- '.PAGE_TITLE.' >> '.$groups[$_GET['g']]['title']; ?> + '.PAGE_TITLE.' >> '.$groups[$_GET['g']]['title']; ?>
add_slashes(str_replace($friendly, $raw, $_POST['comments_loop'])); $comments_footer = $admin->add_slashes(str_replace($friendly, $raw, $_POST['comments_footer'])); $comments_page = $admin->add_slashes(str_replace($friendly, $raw, $_POST['comments_page'])); -$commenting = $_POST['commenting']; -$posts_per_page = $_POST['posts_per_page']; -$use_captcha = $_POST['use_captcha']; +$commenting = $admin->add_slashes($_POST['commenting']); +$posts_per_page = $admin->add_slashes($_POST['posts_per_page']); +$use_captcha = $admin->add_slashes($_POST['use_captcha']); if(extension_loaded('gd') AND function_exists('imageCreateFromJpeg')) { $resize = $_POST['resize']; } else { Index: trunk/wb/modules/news/save_post.php =================================================================== --- trunk/wb/modules/news/save_post.php (revision 655) +++ trunk/wb/modules/news/save_post.php (revision 656) @@ -44,13 +44,13 @@ if($admin->get_post('title') == '' AND $admin->get_post('url') == '') { $admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/news/modify_post.php?page_id='.$page_id.'§ion_id='.$section_id.'&post_id='.$id); } else { - $title = $admin->add_slashes($admin->get_post('title')); - $short = $admin->add_slashes($admin->get_post('short')); - $long = $admin->add_slashes($admin->get_post('long')); - $commenting = $admin->get_post('commenting'); - $active = $admin->get_post('active'); - $old_link = $admin->get_post('link'); - $group_id = $admin->get_post('group'); + $title = $admin->get_post_escaped('title'); + $short = $admin->get_post_escaped('short'); + $long = $admin->get_post_escaped('long'); + $commenting = $admin->get_post_escaped('commenting'); + $active = $admin->get_post_escaped('active'); + $old_link = $admin->get_post_escaped('link'); + $group_id = $admin->get_post_escaped('group'); } // Get page link URL @@ -103,10 +103,10 @@ } // get publisedwhen and publisheduntil -$publishedwhen = jscalendar_to_timestamp($admin->get_post('publishdate')); +$publishedwhen = jscalendar_to_timestamp($admin->get_post_escaped('publishdate')); if($publishedwhen == '' || $publishedwhen < 1) $publishedwhen=0; -$publisheduntil = jscalendar_to_timestamp($admin->get_post('enddate'), $publishedwhen); +$publisheduntil = jscalendar_to_timestamp($admin->get_post_escaped('enddate'), $publishedwhen); if($publisheduntil == '' || $publisheduntil < 1) $publisheduntil=0; Index: trunk/wb/modules/news/save_comment.php =================================================================== --- trunk/wb/modules/news/save_comment.php (revision 655) +++ trunk/wb/modules/news/save_comment.php (revision 656) @@ -26,7 +26,7 @@ require('../../config.php'); // Get id -if(!isset($_POST['comment_id']) OR !is_numeric($_POST['comment_id'])) { +if(!isset($_POST['comment_id']) OR !is_numeric($_POST['comment_id']) OR !isset($_POST['post_id']) OR !is_numeric($_POST['post_id'])) { header("Location: ".ADMIN_URL."/pages/index.php"); exit(0); } else { @@ -41,8 +41,8 @@ if($admin->get_post('title') == '' AND $admin->get_post('comment') == '') { $admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/news/modify_comment.php?page_id='.$page_id.'§ion_id='.$section_id.'comment_id='.$id); } else { - $title = $admin->add_slashes($admin->get_post('title')); - $comment = $admin->add_slashes($admin->get_post('comment')); + $title = strip_tags($admin->get_post_escaped('title')); + $comment = strip_tags($admin->get_post_escaped('comment')); $post_id = $admin->get_post('post_id'); } Index: trunk/wb/modules/news/submit_comment.php =================================================================== --- trunk/wb/modules/news/submit_comment.php (revision 655) +++ trunk/wb/modules/news/submit_comment.php (revision 656) @@ -30,9 +30,9 @@ $wb = new wb; // Check if we should show the form or add a comment -if(is_numeric($_GET['page_id']) AND is_numeric($_GET['section_id']) AND isset($_GET['post_id']) AND is_numeric($_GET['post_id']) - AND ( ENABLED_ASP AND isset($_POST['c0mment_'.date('W')]) AND $_POST['c0mment_'.date('W')] != '') - OR (!ENABLED_ASP AND isset($_POST['comment']) AND $_POST['comment'] != '') +if(isset($_GET['page_id']) AND is_numeric($_GET['page_id']) AND isset($_GET['section_id']) AND is_numeric($_GET['section_id']) AND isset($_GET['post_id']) AND is_numeric($_GET['post_id']) + AND (( ENABLED_ASP AND isset($_POST['c0mment_'.date('W')]) AND $_POST['c0mment_'.date('W')] != '') + OR (!ENABLED_ASP AND isset($_POST['comment']) AND $_POST['comment'] != '')) ) { if(ENABLED_ASP) @@ -39,9 +39,14 @@ $comment = $_POST['c0mment_'.date('W')]; else $comment = $_POST['comment']; - + $comment = $wb->add_slashes(strip_tags($comment)); + $title = $wb->add_slashes(strip_tags($_POST['title'])); + $page_id = $_GET['page_id']; + $section_id = $_GET['section_id']; + $post_id = $_GET['post_id']; + // Check captcha - $query_settings = $database->query("SELECT use_captcha FROM ".TABLE_PREFIX."mod_news_settings WHERE section_id = '".$_GET['section_id']."'"); + $query_settings = $database->query("SELECT use_captcha FROM ".TABLE_PREFIX."mod_news_settings WHERE section_id = '$section_id'"); if($query_settings->numRows() == 0) { exit(header("Location: ".WB_URL.PAGES_DIRECTORY."")); } else { @@ -67,15 +72,15 @@ // Check for a mismatch if(!isset($_POST['captcha']) OR !isset($_SESSION['captcha']) OR $_POST['captcha'] != $_SESSION['captcha']) { $_SESSION['captcha_error'] = $MESSAGE['MOD_FORM']['INCORRECT_CAPTCHA']; - $_SESSION['comment_title'] = $_POST['title']; + $_SESSION['comment_title'] = $title; $_SESSION['comment_body'] = $comment; - exit(header('Location: '.WB_URL."/modules/news/comment.php?id={$_GET['post_id']}&sid={$_GET['section_id']}")); + exit(header('Location: '.WB_URL."/modules/news/comment.php?id=$post_id&sid=$section_id")); } } else { $_SESSION['captcha_error'] = $MESSAGE['MOD_FORM']['INCORRECT_CAPTCHA']; - $_SESSION['comment_title'] = $_POST['title']; + $_SESSION['comment_title'] = $title; $_SESSION['comment_body'] = $comment; - exit(header('Location: '.WB_URL."/modules/news/comment.php?id={$_GET['post_id']}&sid={$_GET['section_id']}")); + exit(header('Location: '.WB_URL."/modules/news/comment.php?id=$post_id&sid=$section_id")); } } } @@ -87,11 +92,6 @@ } // Insert the comment into db - $page_id = $_GET['page_id']; - $section_id = $_GET['section_id']; - $post_id = $_GET['post_id']; - $title = $wb->add_slashes(strip_tags($_POST['title'])); - $comment = $wb->add_slashes(strip_tags($comment)); $commented_when = mktime(); if($wb->is_authenticated() == true) { $commented_by = $wb->get_user_id(); @@ -104,7 +104,10 @@ $page = $query_page->fetchRow(); header('Location: '.$wb->page_link($page['link']).'?id='.$post_id); } else { - header('Location: '.WB_URL."/modules/news/comment.php?id={$_GET['post_id']}&sid={$_GET['section_id']}"); + if(isset($_GET['post_id']) AND is_numeric($_GET['post_id']) AND isset($_GET['section_id']) AND is_numeric($_GET['section_id'])) + header('Location: '.WB_URL."/modules/news/comment.php?id={$_GET['post_id']}&sid={$_GET['section_id']}"); + else + exit(header("Location: ".WB_URL.PAGES_DIRECTORY."")); } ?> \ No newline at end of file Index: trunk/wb/modules/admin.php =================================================================== --- trunk/wb/modules/admin.php (revision 655) +++ trunk/wb/modules/admin.php (revision 656) @@ -39,23 +39,13 @@ } // Get page id -if(!isset($_GET['page_id']) OR !is_numeric($_GET['page_id'])) { - if(!isset($_POST['page_id']) OR !is_numeric($_POST['page_id'])) { - if(!isset($_GET['page_id']) OR !is_numeric($_GET['page_id'])) { - if(!isset($_POST['page_id']) OR !is_numeric($_POST['page_id'])) { - header("Location: index.php"); - exit(0); - } else { - $page_id = $_POST['page_id']; - } - } else { - $page_id = $_GET['page_id']; - } - } else { - $page_id = $_POST['page_id']; - } +if(isset($_GET['page_id']) AND is_numeric($_GET['page_id'])) { + $page_id = $_GET['page_id']; +} elseif(isset($_POST['page_id']) AND is_numeric($_POST['page_id'])) { + $page_id = $_POST['page_id']; } else { - $page_id = $_GET['page_id']; + header("Location: index.php"); + exit(0); } // Get section id if there is one