From 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 29 Aug 2017 22:22:53 +0200
Subject: Security: Only allow angels with admin_news_html privilege to use
 HTML

---
 includes/pages/admin_news.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'includes/pages/admin_news.php')

diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php
index 64a54f4b..bc78a6b1 100644
--- a/includes/pages/admin_news.php
+++ b/includes/pages/admin_news.php
@@ -7,7 +7,7 @@ use Engelsystem\Database\DB;
  */
 function admin_news()
 {
-    global $user;
+    global $user, $privileges;
     $request = request();
 
     if (!$request->has('action')) {
@@ -51,6 +51,11 @@ function admin_news()
             break;
 
         case 'save':
+            $text = $request->postData('eText');
+            if (!in_array('admin_news_html', $privileges)) {
+                $text = strip_tags($text);
+            }
+
             DB::update('
                 UPDATE `News` SET
                     `Datum`=?,
@@ -62,8 +67,8 @@ function admin_news()
                 ',
                 [
                     time(),
-                    $request->postData('eBetreff'),
-                    $request->postData('eText'),
+                    strip_tags($request->postData('eBetreff')),
+                    $text,
                     $user['UID'],
                     $request->has('eTreffen') ? 1 : 0,
                     $news_id
-- 
cgit v1.2.3-54-g00ecf