[geeklog-cvs] geeklog: Fixed XSS (reported by Gerendi Sandor Attila)

[geeklog-cvs at lists.geeklog.net]

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/dcbfd5270aa9
changeset: 7208:dcbfd5270aa9
user:      Dirk Haun <dirk at haun-online.de>
date:      Wed Jul 29 13:36:24 2009 +0200
description:
Fixed XSS (reported by Gerendi Sandor Attila)

diffstat:

 public_html/profiles.php |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (21 lines):

diff -r bd3a784653f8 -r dcbfd5270aa9 public_html/profiles.php
--- a/public_html/profiles.php	Wed Jul 29 14:49:13 2009 -0400
+++ b/public_html/profiles.php	Wed Jul 29 13:36:24 2009 +0200
@@ -245,7 +245,7 @@
             $mail_template->set_var('lang_subject', $LANG08[13]);
             $mail_template->set_var('subject', $subject);
             $mail_template->set_var('lang_message', $LANG08[14]);
-            $mail_template->set_var('message', $message);
+            $mail_template->set_var('message', htmlspecialchars($message));
             $mail_template->set_var('lang_nohtml', $LANG08[15]);
             $mail_template->set_var('lang_submit', $LANG08[16]);
             $mail_template->set_var('uid', $uid);
@@ -442,7 +442,7 @@
     $mail_template->set_var('lang_toemailaddress', $LANG08[19]);
     $mail_template->set_var('toemail', $toemail);
     $mail_template->set_var('lang_shortmessage', $LANG08[27]);
-    $mail_template->set_var('shortmsg', $shortmsg);
+    $mail_template->set_var('shortmsg', htmlspecialchars($shortmsg));
     $mail_template->set_var('lang_warning', $LANG08[22]);
     $mail_template->set_var('lang_sendmessage', $LANG08[16]);
     $mail_template->set_var('story_id',$sid);