[pLog-svn] r6754 - plugins/branches/lifetype-1.2/submissions/class/action

Jon Daley plogworld at jon.limedaley.com
Thu Dec 4 17:14:59 EST 2008


 	Thanks.  is there a better way to fix it than simply adding every 
tag we can think of, which I assume is always out-of-date, not exhaustive?

On Thu, 4 Dec 2008, Matt Wood wrote:

> filterjavascript doesn't filter all javascript... here is one example i noticed looking @ svn.
> <img src=dne onerror=alert(0) />
> 
> On Thu, Dec 4, 2008 at 4:21 PM, <jondaley at devel.lifetype.net> wrote:
>       Author: jondaley
>       Date: 2008-12-04 16:21:57 -0500 (Thu, 04 Dec 2008)
>       New Revision: 6754
>
>       Modified:
>         plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>       Log:
>       have to allow HTML whether the tinymce editor is enabled or not.  At least filter javascript
>
>       Modified: plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
>       ===================================================================
>       --- plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php        2008-12-04
>       21:16:19 UTC (rev 6753)
>       +++ plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php        2008-12-04
>       21:21:57 UTC (rev 6754)
>       @@ -70,15 +70,15 @@
>
>                   $this->_text = "";
>                   $text = $this->_request->getValue( "submissionText" );
>       -                       $config =& Config::getConfig();
>       -            $htmlEnabled = $config->getValue("plugin_submissions_htmlarea_enabled");
>       -            $val2 = new StringValidator($htmlEnabled);
>       +            $val2 = new StringValidator(true);
>                   if( !$val2->validate( $text )) {
>                       $errors["submissionText"] = true;
>                       $message["submissionText"] = $this->_locale->tr("error_submission_no_text");
>                   }
>                   else{
>       -                $this->_text = $text;
>       +                    // is this too much?  Maybe just remove javascript?
>       +//                $this->_text = Textfilter::filterHtml($text);
>       +                $this->_text = Textfilter::filterJavaScript($text);
>                   }
>
>                   $this->_categoryIds = "";
>
>       _______________________________________________
>       pLog-svn mailing list
>       pLog-svn at devel.lifetype.net
>       http://limedaley.com/mailman/listinfo/plog-svn
> 
> 
> 
>

-- 
Jon Daley
http://jon.limedaley.com
~~
Lady: One who makes a man behave like a gentleman.
-- Jimmy Lyons


More information about the pLog-svn mailing list