[pLog-svn] r4732 - plog/branches/lifetype-1.1.6/class/action

oscar at devel.lifetype.net oscar at devel.lifetype.net
Tue Feb 13 18:50:04 EST 2007


Author: oscar
Date: 2007-02-13 18:50:04 -0500 (Tue, 13 Feb 2007)
New Revision: 4732

Modified:
   plog/branches/lifetype-1.1.6/class/action/rssaction.class.php
Log:
Fix for the issue reported by Matt, now backported to Lifetype 1.1.6 (which should be released tomorrow) Those of you running 1.1.x, please apply this fix asap - it should be as easy as overwriting your version of class/action/rssaction.class.php with this one: 

http://devel.lifetype.net/svn/plog/plog/branches/lifetype-1.1.6/class/action/rssaction.class.php

Modified: plog/branches/lifetype-1.1.6/class/action/rssaction.class.php
===================================================================
--- plog/branches/lifetype-1.1.6/class/action/rssaction.class.php	2007-02-13 23:48:18 UTC (rev 4731)
+++ plog/branches/lifetype-1.1.6/class/action/rssaction.class.php	2007-02-13 23:50:04 UTC (rev 4732)
@@ -23,7 +23,12 @@
         	$this->BlogAction( $blogInfo, $request );
 
 			$this->registerFieldValidator( "categoryId", new IntegerValidator(), true );
-			$this->registerFieldValidator( "profile", new StringValidator(), true );
+			
+			// create a StringValidator and add an extra rule to make sure that the input string contains only
+			// alphanumeric characters
+			$profileValidator = new StringValidator();
+			$profileValidator->addRule( new RegexpRule( "^([a-zA-Z0-9]*)$" ));
+			$this->registerFieldValidator( "profile", $profileValidator, true );
 
 			// generate a dummy view with nothing in it to signal an error
 			$view = new RssView( $this->_blogInfo, RSS_VIEW_DEFAULT_PROFILE );
@@ -62,6 +67,11 @@
             // use the default profile as configured
             $profile = $this->_request->getValue( "profile" );
 			if( $profile == "" ) $profile = $defaultProfile;
+			
+			// sanitize the profile variable
+			$profile = str_replace( ".", "", $profile );
+			$profile = str_replace( "/", "", $profile );
+			$profile = str_replace( "%", "", $profile );			
 
             // fetch the category, or set it to '0' otherwise, which will mean
             // fetch all the most recent posts from any category



More information about the pLog-svn mailing list