diff options
author | Igor Scheller <igor.scheller@igorshp.de> | 2017-08-29 22:22:53 +0200 |
---|---|---|
committer | Igor Scheller <igor.scheller@igorshp.de> | 2017-08-29 22:22:53 +0200 |
commit | 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 (patch) | |
tree | a1a4cf5d34f66e3fbbb3ec9debc7e40090f9db5c /includes/pages/admin_news.php | |
parent | cc01c906ba63b3797bf2b9ef92a6854fe2ddbefb (diff) |
Security: Only allow angels with admin_news_html privilege to use HTML
Diffstat (limited to 'includes/pages/admin_news.php')
-rw-r--r-- | includes/pages/admin_news.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php index 64a54f4b..bc78a6b1 100644 --- a/includes/pages/admin_news.php +++ b/includes/pages/admin_news.php @@ -7,7 +7,7 @@ use Engelsystem\Database\DB; */ function admin_news() { - global $user; + global $user, $privileges; $request = request(); if (!$request->has('action')) { @@ -51,6 +51,11 @@ function admin_news() break; case 'save': + $text = $request->postData('eText'); + if (!in_array('admin_news_html', $privileges)) { + $text = strip_tags($text); + } + DB::update(' UPDATE `News` SET `Datum`=?, @@ -62,8 +67,8 @@ function admin_news() ', [ time(), - $request->postData('eBetreff'), - $request->postData('eText'), + strip_tags($request->postData('eBetreff')), + $text, $user['UID'], $request->has('eTreffen') ? 1 : 0, $news_id |