From ff71173477e54774b5571015d49d944f51cb8a26 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Thu, 19 Apr 2012 11:26:46 +0200 Subject: escape target error message (SECURITY) FS#2487 FS#2488 The error message when a non-existant editor was tried to load wasn't escaped correctly, allowing to introduce arbitrary JavaScript to the output, leading to a XSS vulnerability. Note: the reported second XCRF vulnerability is the same bug, the xploit code simply uses JavaScript to extract a valid CSRF token from the site --- inc/html.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/html.php') diff --git a/inc/html.php b/inc/html.php index b233e1d92..022cd792a 100644 --- a/inc/html.php +++ b/inc/html.php @@ -1436,7 +1436,7 @@ function html_edit_form($param) { global $TEXT; if ($param['target'] !== 'section') { - msg('No editor for edit target ' . $param['target'] . ' found.', -1); + msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1); } $attr = array('tabindex'=>'1'); -- cgit v1.2.3 From 8a803cae76e430dc0f358986db3420ef45049370 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 20 Apr 2012 21:42:53 +0200 Subject: some edge case checking in search result highlighting --- inc/html.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'inc/html.php') diff --git a/inc/html.php b/inc/html.php index 022cd792a..be5666353 100644 --- a/inc/html.php +++ b/inc/html.php @@ -280,8 +280,11 @@ function html_draft(){ * @author Harry Fuecks */ function html_hilight($html,$phrases){ - $phrases = array_filter((array) $phrases); - $regex = join('|',array_map('ft_snippet_re_preprocess', array_map('preg_quote_cb',$phrases))); + $phrases = (array) $phrases; + $phrases = array_map('preg_quote_cb', $phrases); + $phrases = array_map('ft_snippet_re_preprocess', $phrases); + $phrases = array_filter($phrases); + $regex = join('|',$phrases); if ($regex === '') return $html; if (!utf8_check($regex)) return $html; -- cgit v1.2.3