diff options
author | Igor Scheller <igor.scheller@igorshp.de> | 2017-08-29 22:22:53 +0200 |
---|---|---|
committer | Igor Scheller <igor.scheller@igorshp.de> | 2017-08-29 22:22:53 +0200 |
commit | 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 (patch) | |
tree | a1a4cf5d34f66e3fbbb3ec9debc7e40090f9db5c /includes/pages/user_news.php | |
parent | cc01c906ba63b3797bf2b9ef92a6854fe2ddbefb (diff) |
Security: Only allow angels with admin_news_html privilege to use HTML
Diffstat (limited to 'includes/pages/user_news.php')
-rw-r--r-- | includes/pages/user_news.php | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php index bdbb0645..0e38e619 100644 --- a/includes/pages/user_news.php +++ b/includes/pages/user_news.php @@ -155,7 +155,7 @@ function user_news_comments() $user_source = User($comment['UID']); $html .= '<div class="panel panel-default">'; - $html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>'; + $html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>'; $html .= '<div class="panel-footer text-muted">'; $html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . ' '; $html .= User_Nick_render($user_source); @@ -191,14 +191,20 @@ function user_news() if (!$request->has('treffen')) { $isMeeting = 0; } + + $text = $request->postData('text'); + if (!in_array('admin_news_html', $privileges)) { + $text = strip_tags($text); + } + DB::insert(' INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) VALUES (?, ?, ?, ?, ?) ', [ time(), - $request->postData('betreff'), - $request->postData('text'), + strip_tags($request->postData('betreff')), + $text, $user['UID'], $isMeeting, ] |