[pLog-svn] r4732 - plog/branches/lifetype-1.1.6/class/action

Mark Wu markplace at gmail.com
Wed Feb 14 04:11:55 EST 2007 

Maybe we also need to consider backport to 1.0.x.

There are still a lot people use 1.0.x and not upgrade to 1.1.x

Mark 

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> oscar at devel.lifetype.net
> Sent: Wednesday, February 14, 2007 7:50 AM
> To: plog-svn at devel.lifetype.net
> Subject: [pLog-svn] r4732 - plog/branches/lifetype-1.1.6/class/action
> 
> Author: oscar
> Date: 2007-02-13 18:50:04 -0500 (Tue, 13 Feb 2007) New Revision: 4732
> 
> Modified:
>    plog/branches/lifetype-1.1.6/class/action/rssaction.class.php
> Log:
> Fix for the issue reported by Matt, now backported to 
> Lifetype 1.1.6 (which should be released tomorrow) Those of 
> you running 1.1.x, please apply this fix asap - it should be 
> as easy as overwriting your version of 
> class/action/rssaction.class.php with this one: 
> 
> http://devel.lifetype.net/svn/plog/plog/branches/lifetype-1.1.
> 6/class/action/rssaction.class.php
> 
> Modified: 
> plog/branches/lifetype-1.1.6/class/action/rssaction.class.php
> ===================================================================
> --- 
> plog/branches/lifetype-1.1.6/class/action/rssaction.class.php	
> 2007-02-13 23:48:18 UTC (rev 4731)
> +++ 
> plog/branches/lifetype-1.1.6/class/action/rssaction.class.php	
> 2007-02-13 23:50:04 UTC (rev 4732)
> @@ -23,7 +23,12 @@
>          	$this->BlogAction( $blogInfo, $request );
>  
>  			$this->registerFieldValidator( 
> "categoryId", new IntegerValidator(), true );
> -			$this->registerFieldValidator( 
> "profile", new StringValidator(), true );
> +			
> +			// create a StringValidator and add an 
> extra rule to make sure that the input string contains only
> +			// alphanumeric characters
> +			$profileValidator = new StringValidator();
> +			$profileValidator->addRule( new 
> RegexpRule( "^([a-zA-Z0-9]*)$" ));
> +			$this->registerFieldValidator( 
> "profile", $profileValidator, true );
>  
>  			// generate a dummy view with nothing 
> in it to signal an error
>  			$view = new RssView( $this->_blogInfo, 
> RSS_VIEW_DEFAULT_PROFILE ); @@ -62,6 +67,11 @@
>              // use the default profile as configured
>              $profile = $this->_request->getValue( "profile" );
>  			if( $profile == "" ) $profile = $defaultProfile;
> +			
> +			// sanitize the profile variable
> +			$profile = str_replace( ".", "", $profile );
> +			$profile = str_replace( "/", "", $profile );
> +			$profile = str_replace( "%", "", 
> $profile );			
>  
>              // fetch the category, or set it to '0' 
> otherwise, which will mean
>              // fetch all the most recent posts from any category
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

More information about the pLog-svn mailing list