From 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 29 Aug 2017 22:22:53 +0200
Subject: Security: Only allow angels with admin_news_html privilege to use
 HTML

---
 includes/pages/user_news.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'includes/pages/user_news.php')

diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php
index bdbb0645..0e38e619 100644
--- a/includes/pages/user_news.php
+++ b/includes/pages/user_news.php
@@ -155,7 +155,7 @@ function user_news_comments()
             $user_source = User($comment['UID']);
 
             $html .= '<div class="panel panel-default">';
-            $html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>';
+            $html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>';
             $html .= '<div class="panel-footer text-muted">';
             $html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . '&emsp;';
             $html .= User_Nick_render($user_source);
@@ -191,14 +191,20 @@ function user_news()
         if (!$request->has('treffen')) {
             $isMeeting = 0;
         }
+
+        $text = $request->postData('text');
+        if (!in_array('admin_news_html', $privileges)) {
+            $text = strip_tags($text);
+        }
+
         DB::insert('
             INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`)
             VALUES (?, ?, ?, ?, ?)
             ',
             [
                 time(),
-                $request->postData('betreff'),
-                $request->postData('text'),
+                strip_tags($request->postData('betreff')),
+                $text,
                 $user['UID'],
                 $isMeeting,
             ]
-- 
cgit v1.2.3-54-g00ecf