summaryrefslogtreecommitdiffstats
path: root/web/template
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-03-30 10:49:51 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2011-03-30 10:49:51 +0200
commit3aa2240b7dc281b37716a29025b08baf1318d059 (patch)
tree51b7249961f07ba392fb76b4698130fdac797182 /web/template
parent11366b8a1a156fa645c4f24d4c3bf939e064d4c9 (diff)
downloadaur-3aa2240b7dc281b37716a29025b08baf1318d059.tar.gz
aur-3aa2240b7dc281b37716a29025b08baf1318d059.tar.xz
Fix XSS vulnerabilities in package comment templates.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/template')
-rw-r--r--web/template/pkg_comment_form.php4
-rw-r--r--web/template/pkg_comments.php2
2 files changed, 3 insertions, 3 deletions
diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index 346fb6a8..72ad3fa3 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -50,14 +50,14 @@ if (isset($_REQUEST['comment'])) {
# Prompt visitor for comment
?>
<div class="pgbox">
- <form action='<?php echo $_SERVER['PHP_SELF'] . '?ID=' . $_REQUEST['ID'] ?>' method='post'>
+ <form action='<?php echo $_SERVER['REQUEST_URI'] ?>' method='post'>
<div style="padding: 1%">
<?php
if (isset($_REQUEST['comment'])) {
echo '<b>' . __('Comment has been added.') . '</b>';
}
?>
- <input type='hidden' name='ID' value="<?php echo $_REQUEST['ID'] ?>" />
+ <input type='hidden' name='ID' value="<?php echo intval($_REQUEST['ID']) ?>" />
<?php echo __('Enter your comment below.') ?><br />
<textarea name='comment' cols='80' rows='10' style="width: 100%"></textarea><br />
<input type='submit' value="<?php echo __("Submit") ?>" />
diff --git a/web/template/pkg_comments.php b/web/template/pkg_comments.php
index 8e64e11a..aed9ca8b 100644
--- a/web/template/pkg_comments.php
+++ b/web/template/pkg_comments.php
@@ -39,7 +39,7 @@ while (list($indx, $carr) = each($comments)) { ?>
$count = package_comments_count($_GET['ID']);
if ($count > 10 && !isset($_GET['comments'])) {
echo '<div class="pgbox">';
- echo '<a href="'. $_SERVER['PHP_SELF'] . '?ID=' . $_REQUEST['ID'] . '&comments=all">'. __('Show all %s comments', $count) . '</a>';
+ echo '<a href="'. $_SERVER['REQUEST_URI'] . '&comments=all">'. __('Show all %s comments', $count) . '</a>';
echo '</div>';
}
?>