![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=3562
[commit: http://hg.dwscoalition.org/dw-free/rev/5bbc58fb6f45]
http://bugs.dwscoalition.org/show_bug.cgi?id=3562
Escape user-controlled text in textareas.
Patch by![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
exor674.
Files modified:
http://bugs.dwscoalition.org/show_bug.cgi?id=3562
Escape user-controlled text in textareas.
Patch by
exor674.Files modified:
- htdocs/admin/spamreports.bml
- htdocs/admin/sysban.bml
--------------------------------------------------------------------------------
diff -r 160d905b81fb -r 5bbc58fb6f45 htdocs/admin/spamreports.bml
--- a/htdocs/admin/spamreports.bml Mon Mar 28 20:14:32 2011 +0800
+++ b/htdocs/admin/spamreports.bml Tue Mar 29 10:50:28 2011 +0800
@@ -231,11 +231,11 @@ _c?>
if ( $reason && $reason->{talk_ip_test} ) {
$extra = "<strong>Already talk_ip_test banned</strong>";
if ( $remote->has_priv( 'sysban' ) ) {
- $extra .= "<br/><textarea name='sysban_note' rows='3' cols='60' readonly='1'>" . ( $reason->{talk_ip_test}->{note} || "(no note)" ) . "</textarea>";
+ $extra .= "<br/><textarea name='sysban_note' rows='3' cols='60' readonly='1'>" . LJ::ehtml( $reason->{talk_ip_test}->{note} || "(no note)" ) . "</textarea>";
}
} else {
$extra = LJ::html_check({name => "sysban_ip", value => $what, label => "Also Sysban IP?"});
- $extra .= "<br/><textarea name='sysban_note' rows='3' cols='60'> ~" . $remote->username . " @ " . LJ::mysql_time() . "</textarea>";
+ $extra .= "<br/><textarea name='sysban_note' rows='3' cols='60'> ~" . LJ::ehtml( $remote->username . " @ " . LJ::mysql_time() ) . "</textarea>";
}
}
diff -r 160d905b81fb -r 5bbc58fb6f45 htdocs/admin/sysban.bml
--- a/htdocs/admin/sysban.bml Mon Mar 28 20:14:32 2011 +0800
+++ b/htdocs/admin/sysban.bml Tue Mar 29 10:50:28 2011 +0800
@@ -115,6 +115,7 @@ QUERYFORM
my $expire = $existing_bans->{ $value }->{expire};
my $note = $existing_bans->{ $value }->{note};
+ my $enote = LJ::ehtml($note);
my $banid = $existing_bans->{ $value }->{banid};
$note =~ s/^'(.*)'$/\1/;
@@ -133,7 +134,7 @@ QUERYFORM
</select>
</td>
<td>
-<textarea name='note' rows='3' cols='60'>$note</textarea>
+<textarea name='note' rows='3' cols='60'>$enote</textarea>
</td>
<td><input type='submit' name='modify' value='modify'>
</td>
--------------------------------------------------------------------------------