Security: Only allow angels with admin_news_html privilege to use HTML

author: Igor Scheller <igor.scheller@igorshp.de> 2017-08-29 22:22:53 +0200
committer: Igor Scheller <igor.scheller@igorshp.de> 2017-08-29 22:22:53 +0200
commit: 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 (patch)
tree: a1a4cf5d34f66e3fbbb3ec9debc7e40090f9db5c /includes/pages/admin_news.php
parent: cc01c906ba63b3797bf2b9ef92a6854fe2ddbefb (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php
index 64a54f4b..bc78a6b1 100644
--- a/includes/pages/admin_news.php
+++ b/includes/pages/admin_news.php
@@ -7,7 +7,7 @@ use Engelsystem\Database\DB;
  */
 function admin_news()
 {
-    global $user;
+    global $user, $privileges;
     $request = request();
 
     if (!$request->has('action')) {
@@ -51,6 +51,11 @@ function admin_news()
             break;
 
         case 'save':
+            $text = $request->postData('eText');
+            if (!in_array('admin_news_html', $privileges)) {
+                $text = strip_tags($text);
+            }
+
             DB::update('
                 UPDATE `News` SET
                     `Datum`=?,
@@ -62,8 +67,8 @@ function admin_news()
                 ',
                 [
                     time(),
-                    $request->postData('eBetreff'),
-                    $request->postData('eText'),
+                    strip_tags($request->postData('eBetreff')),
+                    $text,
                     $user['UID'],
                     $request->has('eTreffen') ? 1 : 0,
                     $news_id
author	Igor Scheller <igor.scheller@igorshp.de>	2017-08-29 22:22:53 +0200
committer	Igor Scheller <igor.scheller@igorshp.de>	2017-08-29 22:22:53 +0200
commit	3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 (patch)
tree	a1a4cf5d34f66e3fbbb3ec9debc7e40090f9db5c /includes/pages/admin_news.php
parent	cc01c906ba63b3797bf2b9ef92a6854fe2ddbefb (diff)