summaryrefslogtreecommitdiff
path: root/includes/pages/user_news.php
diff options
context:
space:
mode:
authorIgor Scheller <igor.scheller@igorshp.de>2017-08-29 22:22:53 +0200
committerIgor Scheller <igor.scheller@igorshp.de>2017-08-29 22:22:53 +0200
commit3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 (patch)
treea1a4cf5d34f66e3fbbb3ec9debc7e40090f9db5c /includes/pages/user_news.php
parentcc01c906ba63b3797bf2b9ef92a6854fe2ddbefb (diff)
Security: Only allow angels with admin_news_html privilege to use HTML
Diffstat (limited to 'includes/pages/user_news.php')
-rw-r--r--includes/pages/user_news.php12
1 files changed, 9 insertions, 3 deletions
diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php
index bdbb0645..0e38e619 100644
--- a/includes/pages/user_news.php
+++ b/includes/pages/user_news.php
@@ -155,7 +155,7 @@ function user_news_comments()
$user_source = User($comment['UID']);
$html .= '<div class="panel panel-default">';
- $html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>';
+ $html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>';
$html .= '<div class="panel-footer text-muted">';
$html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . '&emsp;';
$html .= User_Nick_render($user_source);
@@ -191,14 +191,20 @@ function user_news()
if (!$request->has('treffen')) {
$isMeeting = 0;
}
+
+ $text = $request->postData('text');
+ if (!in_array('admin_news_html', $privileges)) {
+ $text = strip_tags($text);
+ }
+
DB::insert('
INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`)
VALUES (?, ?, ?, ?, ?)
',
[
time(),
- $request->postData('betreff'),
- $request->postData('text'),
+ strip_tags($request->postData('betreff')),
+ $text,
$user['UID'],
$isMeeting,
]
generated by cgit v1.2.3-54-g00ecf (git 2.45.0) at 2024-06-02 11:41:56 +0000