fix XSS security vulnerability
(Thanks to Stefan Schurtz!)
This commit is contained in:
parent
cd8311e6f1
commit
8ff9b85b9d
|
@ -1,6 +1,15 @@
|
|||
1.16:
|
||||
-----
|
||||
|
||||
fix XSS security vulnerability (Thanks to Stefan Schurtz!)
|
||||
|
||||
1.15:
|
||||
-----
|
||||
|
||||
latest: Smarty3 forward compatibility
|
||||
|
||||
1.14:
|
||||
|
||||
Added check to circument adduser plugin's "registered only" option.
|
||||
|
||||
1.13:
|
||||
|
@ -18,4 +27,4 @@ Fix XHTML validity of checked="checked"
|
|||
1.10:
|
||||
-----
|
||||
|
||||
Introcuce new "issue counter".
|
||||
Introdcuce new "issue counter".
|
|
@ -1,33 +0,0 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type" content="text/html; charset=utf-8">
|
||||
<meta name="generator" content="PSPad editor, www.pspad.com">
|
||||
<title>Dokumentace: Kontaktní formulář</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1>Dokumentace k pluginu 'Kontaktní formulář'</h1>
|
||||
|
||||
<p>Dokumentaci k tomuto pluginu přeložil do češtiny Vladimír Ajgl (vlada [zavinac] ajgl [tecka] cz) dne 22.11.2010. Od té doby mohl být plugin pozměněn nebo mohly být rozšířené jeho funkce. Zkontrolujte pro jistotu i <a href="../ChangeLog">aktuální anglický ChangeLog</a>.
|
||||
<p>
|
||||
|
||||
|
||||
<h2>Historie verzí (ChangeLog)</h2>
|
||||
<ul>
|
||||
<li>Verze 1.13</li>
|
||||
<ul>
|
||||
<li>V pluginu spamblock vynucení správené "doby životnosti" u kryptogramů. Doteď nezáleželo na tom, co uživatel zadal, přestože byly kryptogramy zobrazeny.</li>
|
||||
</ul>
|
||||
<li>Verze 1.11</li>
|
||||
<ul>
|
||||
<li>Oprava - validita XHTML kódu checked="checked"</li>
|
||||
</ul>
|
||||
<li>Verze 1.10</li>
|
||||
<ul>
|
||||
<li>Zavedeno nové "počítadlo použití"</li>
|
||||
</ul>
|
||||
</ul>
|
||||
|
||||
</body>
|
||||
</html>
|
|
@ -1,33 +0,0 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type" content="text/html; charset=utf-8">
|
||||
<meta name="generator" content="PSPad editor, www.pspad.com">
|
||||
<title>Dokumentace: Kontaktní formulář</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1>Dokumentace k pluginu 'Kontaktní formulář'</h1>
|
||||
|
||||
<p>Dokumentaci k tomuto pluginu přeložil do češtiny Vladimír Ajgl (vlada [zavinac] ajgl [tecka] cz) dne 22.11.2010. Od té doby mohl být plugin pozměněn nebo mohly být rozšířené jeho funkce. Zkontrolujte pro jistotu i <a href="../ChangeLog">aktuální anglický ChangeLog</a>.
|
||||
<p>
|
||||
|
||||
|
||||
<h2>Historie verzí (ChangeLog)</h2>
|
||||
<ul>
|
||||
<li>Verze 1.13</li>
|
||||
<ul>
|
||||
<li>V pluginu spamblock vynucení správené "doby životnosti" u kryptogramů. Doteď nezáleželo na tom, co uživatel zadal, přestože byly kryptogramy zobrazeny.</li>
|
||||
</ul>
|
||||
<li>Verze 1.11</li>
|
||||
<ul>
|
||||
<li>Oprava - validita XHTML kódu checked="checked"</li>
|
||||
</ul>
|
||||
<li>Verze 1.10</li>
|
||||
<ul>
|
||||
<li>Zavedeno nové "počítadlo použití"</li>
|
||||
</ul>
|
||||
</ul>
|
||||
|
||||
</body>
|
||||
</html>
|
|
@ -10,36 +10,36 @@
|
|||
{/if}
|
||||
|
||||
<div>
|
||||
{$plugin_contactform_preface}
|
||||
{$plugin_contactform_preface}
|
||||
</div>
|
||||
<br /><br />
|
||||
|
||||
{if $is_contactform_sent}
|
||||
<div class="serendipity_center serendipity_msg_notice">
|
||||
{$plugin_contactform_sent}
|
||||
{$plugin_contactform_sent}
|
||||
</div>
|
||||
{else}
|
||||
|
||||
{if $is_contactform_error}
|
||||
{if $is_contactform_error}
|
||||
<div class="serendipity_center serendipity_msg_important">
|
||||
{$plugin_contactform_error}
|
||||
{$plugin_contactform_error}
|
||||
</div>
|
||||
<br /><br />
|
||||
|
||||
<!-- Needed for Captchas -->
|
||||
{foreach from=$comments_messagestack item="message"}
|
||||
<!-- Needed for Captchas -->
|
||||
{foreach from=$comments_messagestack item="message"}
|
||||
<div class="serendipity_center serendipity_msg_important">{$message}</div>
|
||||
{/foreach}
|
||||
{/if}
|
||||
{/foreach}
|
||||
{/if}
|
||||
|
||||
<!-- This whole commentform style, including field names is needed for Captchas. The spamblock plugin relies on the field names [name], [email], [url], [comment]! -->
|
||||
<!-- This whole commentform style, including field names is needed for Captchas. The spamblock plugin relies on the field names [name], [email], [url], [comment]! -->
|
||||
<div class="serendipityCommentForm">
|
||||
<a id="serendipity_CommentForm"></a>
|
||||
<form id="serendipity_comment" action="{$commentform_action}#feedback" method="post">
|
||||
<div>
|
||||
<input type="hidden" name="serendipity[subpage]" value="{$commentform_sname}" />
|
||||
<input type="hidden" name="serendipity[commentform]" value="true" />
|
||||
</div>
|
||||
<input type="hidden" name="serendipity[subpage]" value="{$commentform_sname}" />
|
||||
<input type="hidden" name="serendipity[commentform]" value="true" />
|
||||
</div>
|
||||
<table border="0" width="100%" cellpadding="3">
|
||||
<tr>
|
||||
<td class="serendipity_commentsLabel"><label for="serendipity_commentform_name">{$CONST.NAME}</label></td>
|
||||
|
|
|
@ -10,41 +10,41 @@
|
|||
{/if}
|
||||
|
||||
<div>
|
||||
{$plugin_contactform_preface}
|
||||
{$plugin_contactform_preface}
|
||||
</div>
|
||||
<br /><br />
|
||||
|
||||
{if $is_contactform_sent}
|
||||
<div class="serendipity_center serendipity_msg_notice">
|
||||
{$plugin_contactform_sent}
|
||||
{$plugin_contactform_sent}
|
||||
</div>
|
||||
{else}
|
||||
|
||||
{if $is_contactform_error}
|
||||
{if $is_contactform_error}
|
||||
<div class="serendipity_center serendipity_msg_important">
|
||||
{$plugin_contactform_error}
|
||||
{$plugin_contactform_error}
|
||||
</div>
|
||||
<br /><br />
|
||||
|
||||
<!-- Needed for Captchas -->
|
||||
{foreach from=$comments_messagestack item="message"}
|
||||
<!-- Needed for Captchas -->
|
||||
{foreach from=$comments_messagestack item="message"}
|
||||
<div class="serendipity_center serendipity_msg_important">{$message}</div>
|
||||
{/foreach}
|
||||
{/if}
|
||||
{/foreach}
|
||||
{/if}
|
||||
|
||||
<!-- This whole commentform style, including field names is needed for Captchas. The spamblock plugin relies on the field names [name], [email], [url], [comment]! -->
|
||||
<!-- This whole commentform style, including field names is needed for Captchas. The spamblock plugin relies on the field names [name], [email], [url], [comment]! -->
|
||||
<div class="serendipityCommentForm">
|
||||
<a id="serendipity_CommentForm"></a>
|
||||
<form id="serendipity_comment" action="{$commentform_action}#feedback" method="post">
|
||||
<div>
|
||||
<input type="hidden" name="serendipity[subpage]" value="{$commentform_sname}" />
|
||||
<input type="hidden" name="serendipity[commentform]" value="true" />
|
||||
<input type="hidden" name="serendipity[subpage]" value="{$commentform_sname}" />
|
||||
<input type="hidden" name="serendipity[commentform]" value="true" />
|
||||
{foreach name="field" from=$commentform_dynamicfields item="field"}
|
||||
{if $field.type == "hidden"}
|
||||
<input type="hidden" name="serendipity[{$field.id}]" value="{$field.default}" />
|
||||
{/if}
|
||||
{/foreach}
|
||||
</div>
|
||||
</div>
|
||||
<table border="0" width="100%" cellpadding="3">
|
||||
{foreach name="field" from=$commentform_dynamicfields item="field"}
|
||||
{if $field.type != "hidden"}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
<?php #
|
||||
<?php
|
||||
|
||||
|
||||
if (IN_serendipity !== true) {
|
||||
|
@ -18,11 +18,11 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
function introspect(&$propbag) {
|
||||
global $serendipity;
|
||||
|
||||
$subtitle = $this->get_config('backend_title', '');
|
||||
$subtitle = $this->get_config('backend_title', '');
|
||||
if (!empty($subtitle)) {
|
||||
$desc = '(' . $subtitle . ') ' . PLUGIN_CONTACTFORM_TITLE_BLAHBLAH;
|
||||
$desc = '(' . $subtitle . ') ' . PLUGIN_CONTACTFORM_TITLE_BLAHBLAH;
|
||||
} else {
|
||||
$desc = PLUGIN_CONTACTFORM_TITLE_BLAHBLAH;
|
||||
$desc = PLUGIN_CONTACTFORM_TITLE_BLAHBLAH;
|
||||
}
|
||||
|
||||
$propbag->add('name', PLUGIN_CONTACTFORM_TITLE);
|
||||
|
@ -30,7 +30,7 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
$propbag->add('event_hooks', array('entries_header' => true, 'entry_display' => true, 'genpage' => true));
|
||||
$propbag->add('configuration', array('permalink', 'pagetitle', 'backend_title', 'email', 'subject', 'counter', 'intro', 'sent', 'articleformat','dynamic_tpl','dynamic_fields','dynamic_fields_tpl','dynamic_fields_desc'));
|
||||
$propbag->add('author', 'Garvin Hicking');
|
||||
$propbag->add('version', '1.15');
|
||||
$propbag->add('version', '1.16');
|
||||
$propbag->add('requirements', array(
|
||||
'serendipity' => '0.7',
|
||||
'smarty' => '2.6.7',
|
||||
|
@ -164,7 +164,7 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
$title = $this->get_config('pagetitle');
|
||||
|
||||
$subject = sprintf($this->get_config('subject'), $title);
|
||||
|
||||
|
||||
$text = '';
|
||||
|
||||
if (serendipity_db_bool($this->get_config('counter'))) {
|
||||
|
@ -172,7 +172,7 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
$subject = '[' . $this->get_config('counternumber') . '] ' . $subject;
|
||||
$text .= sprintf(PLUGIN_CONTACTFORM_MAIL_ISSUECOUNTER, $this->get_config('counternumber')) . "\n";
|
||||
}
|
||||
|
||||
|
||||
$text .= sprintf(A_NEW_COMMENT_BLAHBLAH, $serendipity['blogTitle'], $title)
|
||||
. "\n"
|
||||
. "\n" . USER . ' ' . IP_ADDRESS . ': ' . $_SERVER['REMOTE_ADDR'];
|
||||
|
@ -220,12 +220,12 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
);
|
||||
|
||||
$commentInfo = array(
|
||||
'type' => 'NORMAL',
|
||||
'source' => 'commentform',
|
||||
'name' => $serendipity['POST']['name'],
|
||||
'url' => $serendipity['POST']['url'],
|
||||
'comment' => $serendipity['POST']['comment'],
|
||||
'email' => $serendipity['POST']['email'],
|
||||
'type' => 'NORMAL',
|
||||
'source' => 'commentform',
|
||||
'name' => htmlspecialchars(strip_tags($serendipity['POST']['name'])),
|
||||
'url' => htmlspecialchars(strip_tags($serendipity['POST']['url'])),
|
||||
'comment' => htmlspecialchars(strip_tags($serendipity['POST']['comment'])),
|
||||
'email' => htmlspecialchars(strip_tags($serendipity['POST']['email'])),
|
||||
'source2' => 'adduser' // Allow the contactform to bypass "only registered users may post" option of the adduser-plugin
|
||||
|
||||
);
|
||||
|
@ -245,10 +245,10 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
|
||||
if ($this->sendComment(
|
||||
$this->get_config('email'),
|
||||
$serendipity['POST']['name'],
|
||||
$serendipity['POST']['email'],
|
||||
$serendipity['POST']['url'],
|
||||
$serendipity['POST']['comment'])) {
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['name'])),
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['email'])),
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['url'])),
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['comment'])))) {
|
||||
|
||||
$serendipity['smarty']->assign('is_contactform_sent', true);
|
||||
return true;
|
||||
|
@ -316,12 +316,12 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
);
|
||||
|
||||
$commentInfo = array(
|
||||
'type' => 'NORMAL',
|
||||
'source' => 'commentform',
|
||||
'name' => $serendipity['POST']['name'],
|
||||
'url' => $serendipity['POST']['url'],
|
||||
'comment' => $comment,
|
||||
'email' => $serendipity['POST']['email'],
|
||||
'type' => 'NORMAL',
|
||||
'source' => 'commentform',
|
||||
'name' => htmlspecialchars(strip_tags($serendipity['POST']['name'])),
|
||||
'url' => htmlspecialchars(strip_tags($serendipity['POST']['url'])),
|
||||
'comment' => htmlspecialchars(strip_tags($comment)),
|
||||
'email' => htmlspecialchars(strip_tags($serendipity['POST']['email'])),
|
||||
'source2' => 'adduser' // Allow the contactform to bypass "only registered users may post" option of the adduser-plugin
|
||||
);
|
||||
serendipity_plugin_api::hook_event('frontend_saveComment', $ca, $commentInfo);
|
||||
|
@ -340,10 +340,10 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
|
||||
if ($this->sendComment(
|
||||
$this->get_config('email'),
|
||||
$serendipity['POST']['name'],
|
||||
$serendipity['POST']['email'],
|
||||
$serendipity['POST']['url'],
|
||||
$comment,true)) {
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['name'])),
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['email'])),
|
||||
htmlspecialchars(strip_tags($serendipity['POST']['url'])),
|
||||
htmlspecialchars(strip_tags($comment,true)))) {
|
||||
|
||||
$serendipity['smarty']->assign('is_contactform_sent', true);
|
||||
return true;
|
||||
|
@ -397,7 +397,7 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
$form_fields[$item['name']]['default'] = 'checked="checked"';
|
||||
break;
|
||||
default:
|
||||
$form_fields[$item['name']]['default'] = $item['value'];
|
||||
$form_fields[$item['name']]['default'] = htmlspecialchars(strip_tags($item['value']));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -437,7 +437,7 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
$filename = 'plugin_dynamicform.tpl';
|
||||
}
|
||||
$tfile = serendipity_getTemplateFile($filename, 'serendipityPath');
|
||||
|
||||
|
||||
if (!$tfile) {
|
||||
$tfile = dirname(__FILE__) . '/' . $filename;
|
||||
}
|
||||
|
@ -577,7 +577,7 @@ class serendipity_event_contactform extends serendipity_event {
|
|||
$return_array[$field_array[0]]['message'] = $option;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 'radio':
|
||||
$return_array[$field_array[0]]['type'] = 'radio';
|
||||
|
|
Loading…
Reference in a new issue