makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

strip_tags from various profile fields; username, email, interests, etc. ... probably end up annoying people but hum ho

Browse source 
git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@3163 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Paul S. Owen 2002-12-03 00:21:44 +00:00
parent fcb6c75dbc
commit f4960dca9e
1 changed files with 17 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
phpBB/includes/usercp_register.php
View file

@ -92,25 +92,22 @@ if (
if ( $mode == 'editprofile' ) if ( $mode == 'editprofile' )
{ {
$user_id = intval($HTTP_POST_VARS['user_id']); $user_id = intval($HTTP_POST_VARS['user_id']);
$current_email = trim(strip_tags(htmlspecialchars($HTTP_POST_VARS['current_email']))); $current_email = trim(strip_tags($HTTP_POST_VARS['current_email']));
} }
$strip_var_list = array('username' => 'username', 'email' => 'email', 'icq' => 'icq', 'aim' => 'aim', 'msn' => 'msn', 'yim' => 'yim', 'website' => 'website', 'location' => 'location', 'occupation' => 'occupation', 'interests' => 'interests'); $strip_var_list = array('username' => 'username', 'email' => 'email', 'icq' => 'icq', 'aim' => 'aim', 'msn' => 'msn', 'yim' => 'yim', 'website' => 'website', 'location' => 'location', 'occupation' => 'occupation', 'interests' => 'interests');
// BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 // Strip all tags from data ... may p**s some people off, could use
// // htmlspecialchars but given the fields are limited in length we'd end
// NOTE ... nore sure about this htmlspecialchars here ... should users make 'extensive' use of special chars they will lose characters without realising it (as data is trimmed to fit the given fields) // up with (possibly) losing some data. Of course we could store the data
// // "as is" and specialchar it as it's output but then we run into potential
// Only way around this at present will be to specialchar data in the relevant source as reqd. inc. // performance issues ... whichever way we go we'll end up being moaned at
// reverting this to how it was done a few days back. // "hum ho, ho hum" (TM)
//
// BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4 BEFORE 2.0.4
while( list($var, $param) = @each($strip_var_list) ) while( list($var, $param) = @each($strip_var_list) )
{ {
if ( !empty($HTTP_POST_VARS[$param]) ) if ( !empty($HTTP_POST_VARS[$param]) )
{ {
$$var = trim(htmlspecialchars($HTTP_POST_VARS[$param])); $$var = trim(strip_tags($HTTP_POST_VARS[$param]));
} }
} }
@ -159,7 +156,7 @@ if (
{ {
if ( preg_match('/^[a-z_]+$/i', $HTTP_POST_VARS['language']) ) if ( preg_match('/^[a-z_]+$/i', $HTTP_POST_VARS['language']) )
{ {
$user_lang = htmlspecialchars($HTTP_POST_VARS['language']); $user_lang = strip_tags($HTTP_POST_VARS['language']);
} }
else else
{ {
@ -173,11 +170,11 @@ if (
} }
$user_timezone = ( isset($HTTP_POST_VARS['timezone']) ) ? doubleval($HTTP_POST_VARS['timezone']) : $board_config['board_timezone']; $user_timezone = ( isset($HTTP_POST_VARS['timezone']) ) ? doubleval($HTTP_POST_VARS['timezone']) : $board_config['board_timezone'];
$user_dateformat = ( !empty($HTTP_POST_VARS['dateformat']) ) ? trim(htmlspecialchars($HTTP_POST_VARS['dateformat'])) : $board_config['default_dateformat']; $user_dateformat = ( !empty($HTTP_POST_VARS['dateformat']) ) ? trim(strip_tags($HTTP_POST_VARS['dateformat'])) : $board_config['default_dateformat'];
$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal']) ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' ); $user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal']) ) ? strip_tags($HTTP_POST_VARS['avatarlocal']) : '' );
$user_avatar_remoteurl = ( !empty($HTTP_POST_VARS['avatarremoteurl']) ) ? trim(htmlspecialchars($HTTP_POST_VARS['avatarremoteurl'])) : ''; $user_avatar_remoteurl = ( !empty($HTTP_POST_VARS['avatarremoteurl']) ) ? trim(strip_tags($HTTP_POST_VARS['avatarremoteurl'])) : '';
$user_avatar_upload = ( !empty($HTTP_POST_VARS['avatarurl']) ) ? trim($HTTP_POST_VARS['avatarurl']) : ( ( $HTTP_POST_FILES['avatar']['tmp_name'] != "none") ? $HTTP_POST_FILES['avatar']['tmp_name'] : '' ); $user_avatar_upload = ( !empty($HTTP_POST_VARS['avatarurl']) ) ? trim($HTTP_POST_VARS['avatarurl']) : ( ( $HTTP_POST_FILES['avatar']['tmp_name'] != "none") ? $HTTP_POST_FILES['avatar']['tmp_name'] : '' );
$user_avatar_name = ( !empty($HTTP_POST_FILES['avatar']['name']) ) ? $HTTP_POST_FILES['avatar']['name'] : ''; $user_avatar_name = ( !empty($HTTP_POST_FILES['avatar']['name']) ) ? $HTTP_POST_FILES['avatar']['name'] : '';
$user_avatar_size = ( !empty($HTTP_POST_FILES['avatar']['size']) ) ? $HTTP_POST_FILES['avatar']['size'] : 0; $user_avatar_size = ( !empty($HTTP_POST_FILES['avatar']['size']) ) ? $HTTP_POST_FILES['avatar']['size'] : 0;
@ -190,9 +187,9 @@ if (
{ {
$username = stripslashes($username); $username = stripslashes($username);
$email = stripslashes($email); $email = stripslashes($email);
$cur_password = stripslashes($cur_password); $cur_password = htmlspecialchars(stripslashes($cur_password));
$new_password = stripslashes($new_password); $new_password = htmlspecialchars(stripslashes($new_password));
$password_confirm = stripslashes($password_confirm); $password_confirm = htmlspecialchars(stripslashes($password_confirm));
$icq = stripslashes($icq); $icq = stripslashes($icq);
$aim = stripslashes($aim); $aim = stripslashes($aim);
@ -668,7 +665,7 @@ if ( $error )
$occupation = stripslashes($occupation); $occupation = stripslashes($occupation);
$interests = stripslashes($interests); $interests = stripslashes($interests);
$signature = stripslashes($signature); $signature = stripslashes($signature);
$signature = ( $signature_bbcode_uid != '' ) ? preg_replace("/:(([a-z0-9]+:)?)$signature_bbcode_uid\]/si", ']', $signature) : $signature; $signature = ($signature_bbcode_uid != '') ? preg_replace("/:(([a-z0-9]+:)?)$signature_bbcode_uid\]/si", ']', $signature) : $signature;
$user_lang = stripslashes($user_lang); $user_lang = stripslashes($user_lang);
$user_dateformat = stripslashes($user_dateformat); $user_dateformat = stripslashes($user_dateformat);
@ -692,7 +689,7 @@ else if ( $mode == 'editprofile' && !isset($HTTP_POST_VARS['avatargallery']) &&
$occupation = $userdata['user_occ']; $occupation = $userdata['user_occ'];
$interests = $userdata['user_interests']; $interests = $userdata['user_interests'];
$signature_bbcode_uid = $userdata['user_sig_bbcode_uid']; $signature_bbcode_uid = $userdata['user_sig_bbcode_uid'];
$signature = ( $signature_bbcode_uid != '' ) ? preg_replace("/:(([a-z0-9]+:)?)$signature_bbcode_uid\]/si", ']', $userdata['user_sig']) : $userdata['user_sig']; $signature = ($signature_bbcode_uid != '') ? preg_replace("/:(([a-z0-9]+:)?)$signature_bbcode_uid\]/si", ']', $userdata['user_sig']) : $userdata['user_sig'];
$viewemail = $userdata['user_viewemail']; $viewemail = $userdata['user_viewemail'];
$notifypm = $userdata['user_notify_pm']; $notifypm = $userdata['user_notify_pm'];