From 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Tue, 29 Aug 2017 22:22:53 +0200 Subject: Security: Only allow angels with admin_news_html privilege to use HTML --- includes/pages/admin_news.php | 11 ++++++++--- includes/pages/admin_user.php | 2 +- includes/pages/guest_login.php | 2 +- includes/pages/user_news.php | 12 +++++++++--- 4 files changed, 19 insertions(+), 8 deletions(-) (limited to 'includes/pages') diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php index 64a54f4b..bc78a6b1 100644 --- a/includes/pages/admin_news.php +++ b/includes/pages/admin_news.php @@ -7,7 +7,7 @@ use Engelsystem\Database\DB; */ function admin_news() { - global $user; + global $user, $privileges; $request = request(); if (!$request->has('action')) { @@ -51,6 +51,11 @@ function admin_news() break; case 'save': + $text = $request->postData('eText'); + if (!in_array('admin_news_html', $privileges)) { + $text = strip_tags($text); + } + DB::update(' UPDATE `News` SET `Datum`=?, @@ -62,8 +67,8 @@ function admin_news() ', [ time(), - $request->postData('eBetreff'), - $request->postData('eText'), + strip_tags($request->postData('eBetreff')), + $text, $user['UID'], $request->has('eTreffen') ? 1 : 0, $news_id diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index aea68f52..ca814b2e 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -272,7 +272,7 @@ function admin_user() WHERE `UID` = ? LIMIT 1'; DB::update($sql, [ - $request->postData('eNick'), + User_validate_Nick($request->postData('eNick')), $request->postData('eName'), $request->postData('eVorname'), $request->postData('eTelefon'), diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index 3966b55c..9c706cfc 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -233,7 +233,7 @@ function guest_register() // Assign user-group and set password $user_id = DB::getPdo()->lastInsertId(); - DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -2)', [$user_id]); + DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -20)', [$user_id]); set_password($user_id, $request->postData('password')); // Assign angel-types diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php index bdbb0645..0e38e619 100644 --- a/includes/pages/user_news.php +++ b/includes/pages/user_news.php @@ -155,7 +155,7 @@ function user_news_comments() $user_source = User($comment['UID']); $html .= '
'; - $html .= '
' . nl2br($comment['Text']) . '
'; + $html .= '
' . nl2br(htmlspecialchars($comment['Text'])) . '
'; $html .= '
'; $html .= ' ' . $comment['Datum'] . ' '; $html .= User_Nick_render($user_source); @@ -191,14 +191,20 @@ function user_news() if (!$request->has('treffen')) { $isMeeting = 0; } + + $text = $request->postData('text'); + if (!in_array('admin_news_html', $privileges)) { + $text = strip_tags($text); + } + DB::insert(' INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) VALUES (?, ?, ?, ?, ?) ', [ time(), - $request->postData('betreff'), - $request->postData('text'), + strip_tags($request->postData('betreff')), + $text, $user['UID'], $isMeeting, ] -- cgit v1.2.3-54-g00ecf