mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-08-08 06:04 pm
  • Add Memory
  • Share This Entry

[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=1594

[commit: http://hg.dwscoalition.org/dw-free/rev/0c901a3e684a]

http://bugs.dwscoalition.org/show_bug.cgi?id=1594

Fix issue with not escaping profile display email address.

Patch by [personal profile] rat.

Files modified:
  • bin/upgrading/en.dat
  • cgi-bin/DW/Setting/ProfileEmail.pm
  • htdocs/userinfo.bml
--------------------------------------------------------------------------------
diff -r fe18f5fe4113 -r 0c901a3e684a bin/upgrading/en.dat
--- a/bin/upgrading/en.dat	Sat Aug 08 15:16:42 2009 +0000
+++ b/bin/upgrading/en.dat	Sat Aug 08 18:04:44 2009 +0000
@@ -2741,6 +2741,8 @@ setting.randompaidgifts.option.paid=If y
 
 setting.randompaidgifts.option.note=You may receive a paid account from someone you do not know.
 
+setting.profileemail.error.email.invalid=Invalid email address entered.
+
 setting.safesearch.error.invalid=Invalid safe search setting.
 
 setting.safesearch.label=Safe Search Filter
diff -r fe18f5fe4113 -r 0c901a3e684a cgi-bin/DW/Setting/ProfileEmail.pm
--- a/cgi-bin/DW/Setting/ProfileEmail.pm	Sat Aug 08 15:16:42 2009 +0000
+++ b/cgi-bin/DW/Setting/ProfileEmail.pm	Sat Aug 08 18:04:44 2009 +0000
@@ -57,7 +57,17 @@ sub save {
     my $email = $class->get_arg( $args, "email" );
     $email = LJ::trim( $email || "" );
 
-    $u->profile_email( $email );
+    # ensure a valid email address is given.
+    my @errors;
+    if ( $email ) {
+        LJ::check_email( $email, \@errors );
+    }
+
+    if ( @errors ) {
+        $class->errors( "email" => $class->ml( 'setting.profileemail.error.email.invalid' ) ) ;
+    } else {
+        $u->profile_email( $email );
+    }
 
     return 1;
 }
diff -r fe18f5fe4113 -r 0c901a3e684a htdocs/userinfo.bml
--- a/htdocs/userinfo.bml	Sat Aug 08 15:16:42 2009 +0000
+++ b/htdocs/userinfo.bml	Sat Aug 08 18:04:44 2009 +0000
@@ -176,7 +176,9 @@ body<=
             return qq(<a href="$l->{url}">$l->{text}</a>) if $l->{url};
             return $l->{text};
         } elsif ( $l->{email} ) {
-            return LJ::mangle_email_address( $l->{email} );
+            # the ehtml call here shouldn't be necessary, but just in case they slip in an email
+            # that contains Bad Stuff, escape it
+            return LJ::mangle_email_address( LJ::ehtml( $l->{email} ) );
         } else {
             return "(Error in Linkification)";
         }
--------------------------------------------------------------------------------