[ic] Standard demo: prevent XSS on forum submission
Josh Lavin
josh-ic at att.net
Thu Nov 19 15:51:23 UTC 2009
The mv_arg parameter is not filtered when output in the page during
forum comment submission and replies, which can allow cross-site
scripting to be used.
http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297
--- a/dist/standard/include/forum/reply_form
+++ b/dist/standard/include/forum/reply_form
@@ -1,4 +1,4 @@
-[loop list="[data session arg]"]
+[loop list="[data base=session field=arg filter=encode_entities]"]
<form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
<input type=hidden name=artid VALUE="[loop-data forum artid]">
<input type=hidden name=parent VALUE="[loop-code]">
--- a/dist/standard/include/forum/submit_form
+++ b/dist/standard/include/forum/submit_form
@@ -4,7 +4,7 @@
return;
[/calc]
[/if]
-[loop list="[data session arg]"]
+[loop list="[data base=session field=arg filter=encode_entities]"]
<form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
<input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
<input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">
--
Josh Lavin
Perusion -- Expert Interchange Consulting http://www.perusion.com/
More information about the interchange-users
mailing list