From ad06356c5f2601508277b9e8162f0e7536a9af81 Mon Sep 17 00:00:00 2001
From: "Paul S. Owen" <psotfx@users.sourceforge.net>
Date: Tue, 30 Dec 2003 14:17:49 +0000
Subject: [PATCH] Updates for potential XSS vuln ... someone please verify and
 get back to me

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@4706 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/groupcp.php |  3 ++-
 phpBB/privmsg.php | 12 ++----------
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/phpBB/groupcp.php b/phpBB/groupcp.php
index 44a79c5e0c..8fd4b7e471 100644
--- a/phpBB/groupcp.php
+++ b/phpBB/groupcp.php
@@ -137,6 +137,7 @@ else
 if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
 {
 	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+	$mode = htmlspecialchars($mode);
 }
 else
 {
@@ -590,7 +591,7 @@ else if ( $group_id )
 					$sql_in = '';
 					for($i = 0; $i < count($members); $i++)
 					{
-						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
+						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);
 					}
 
 					if ( isset($HTTP_POST_VARS['approve']) )
diff --git a/phpBB/privmsg.php b/phpBB/privmsg.php
index 69be22b9e2..576c4b5685 100644
--- a/phpBB/privmsg.php
+++ b/phpBB/privmsg.php
@@ -58,6 +58,7 @@ $mark_list = ( !empty($HTTP_POST_VARS['mark']) ) ? $HTTP_POST_VARS['mark'] : 0;
 if ( isset($HTTP_POST_VARS['folder']) || isset($HTTP_GET_VARS['folder']) )
 {
 	$folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+	$folder = htmlspecialchars($folder);
 
 	if ( $folder != 'inbox' && $folder != 'outbox' && $folder != 'sentbox' && $folder != 'savebox' )
 	{
@@ -69,16 +70,6 @@ else
 	$folder = 'inbox';
 }
 
-// session id check
-if (!empty($HTTP_POST_VARS['sid']) || !empty($HTTP_GET_VARS['sid']))
-{
-	$sid = (!empty($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : $HTTP_GET_VARS['sid'];
-}
-else
-{
-	$sid = '';
-}
-
 //
 // Start session management
 //
@@ -102,6 +93,7 @@ if ( $cancel )
 if ( !empty($HTTP_POST_VARS['mode']) || !empty($HTTP_GET_VARS['mode']) )
 {
 	$mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+	$mode = htmlspecialchars($mode);
 }
 else
 {