From 944c29b96429ec95ac1371cb33cc43704a60c7b1 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 20 Nov 2018 16:02:03 +0100
Subject: Require POST for sending forms

* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes #494 (Security Vulnerability)
---
 includes/pages/user_news.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'includes/pages/user_news.php')

diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php
index d7e681a6..e101be6b 100644
--- a/includes/pages/user_news.php
+++ b/includes/pages/user_news.php
@@ -142,7 +142,7 @@ function user_news_comments()
     ) {
         $nid = $request->input('nid');
         $news = DB::selectOne('SELECT * FROM `News` WHERE `ID`=? LIMIT 1', [$nid]);
-        if ($request->has('text')) {
+        if ($request->hasPostData('submit') && $request->has('text')) {
             $text = preg_replace(
                 "/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui",
                 '',
-- 
cgit v1.2.3-54-g00ecf