[pLog-svn] r6754 - plugins/branches/lifetype-1.2/submissions/class/action

Matt Wood matt at woodzy.com
Thu Dec 4 17:01:38 EST 2008 

filterjavascript doesn't filter all javascript... here is one example i
noticed looking @ svn.
<img src=dne onerror=alert(0) />

On Thu, Dec 4, 2008 at 4:21 PM, <jondaley at devel.lifetype.net> wrote:

> Author: jondaley
> Date: 2008-12-04 16:21:57 -0500 (Thu, 04 Dec 2008)
> New Revision: 6754
>
> Modified:
>
> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
> Log:
> have to allow HTML whether the tinymce editor is enabled or not.  At least
> filter javascript
>
> Modified:
> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
> ===================================================================
> ---
> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>        2008-12-04 21:16:19 UTC (rev 6753)
> +++
> plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>        2008-12-04 21:21:57 UTC (rev 6754)
> @@ -70,15 +70,15 @@
>
>             $this->_text = "";
>             $text = $this->_request->getValue( "submissionText" );
> -                       $config =& Config::getConfig();
> -            $htmlEnabled =
> $config->getValue("plugin_submissions_htmlarea_enabled");
> -            $val2 = new StringValidator($htmlEnabled);
> +            $val2 = new StringValidator(true);
>             if( !$val2->validate( $text )) {
>                 $errors["submissionText"] = true;
>                 $message["submissionText"] =
> $this->_locale->tr("error_submission_no_text");
>             }
>             else{
> -                $this->_text = $text;
> +                    // is this too much?  Maybe just remove javascript?
> +//                $this->_text = Textfilter::filterHtml($text);
> +                $this->_text = Textfilter::filterJavaScript($text);
>             }
>
>             $this->_categoryIds = "";
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20081204/d9ad8fe0/attachment.html>

More information about the pLog-svn mailing list