Changeset 3649:3b0b868d58b0
- Timestamp:
- 01/12/18 07:57:00 (5 years ago)
- Branch:
- default
- Children:
- 3650:11cb6291eea7, 3651:6980a7a06518
- Files:
-
- 7 edited
-
CHANGELOG (modified) (1 diff)
-
admin/auth.php (modified) (1 diff)
-
admin/blogs.php (modified) (1 diff)
-
admin/comments.php (modified) (1 diff)
-
admin/posts.php (modified) (1 diff)
-
admin/user.php (modified) (2 diffs)
-
admin/users.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
CHANGELOG
r3646 r3649 4 4 * 🛡 Security: New password management system (including silent migration) 5 5 * 🛡 Security: Add Referrer-Policy header in admin pages 6 * 🛡 Security: Fix potential XSS - thank's Trí Chim Trích for report 6 7 * Dotclear news are now displayed in async way by js 7 8 * Dotclear core update check is now done by async js - a forced check may still be done on <admin>/update.php page -
admin/auth.php
r3627 r3649 83 83 { 84 84 $user_id = !empty($_POST['user_id']) ? $_POST['user_id'] : null; 85 $user_email = !empty($_POST['user_email']) ? $_POST['user_email']: '';85 $user_email = !empty($_POST['user_email']) ? html::escapeHTML($_POST['user_email']) : ''; 86 86 try 87 87 { -
admin/blogs.php
r3560 r3649 54 54 55 55 if (!empty($_GET['nb']) && (integer) $_GET['nb'] > 0) { 56 if ($nb_per_page != $_GET['nb']) {56 if ($nb_per_page != (integer) $_GET['nb']) { 57 57 $show_filters = true; 58 58 } -
admin/comments.php
r3560 r3649 78 78 79 79 if (!empty($_GET['nb']) && (integer) $_GET['nb'] > 0) { 80 if ($nb_per_page != $_GET['nb']) {80 if ($nb_per_page != (integer) $_GET['nb']) { 81 81 $show_filters = true; 82 82 } -
admin/posts.php
r3560 r3649 179 179 180 180 if (!empty($_GET['nb']) && (integer) $_GET['nb'] > 0) { 181 if ($nb_per_page != $_GET['nb']) {181 if ($nb_per_page != (integer) $_GET['nb']) { 182 182 $show_filters = true; 183 183 } -
admin/user.php
r3639 r3649 80 80 $cur->user_id = $_POST['user_id']; 81 81 $cur->user_super = $user_super = !empty($_POST['user_super']) ? 1 : 0; 82 $cur->user_name = $user_name = $_POST['user_name'];83 $cur->user_firstname = $user_firstname = $_POST['user_firstname'];84 $cur->user_displayname = $user_displayname = $_POST['user_displayname'];85 $cur->user_email = $user_email = $_POST['user_email'];86 $cur->user_url = $user_url = $_POST['user_url'];87 $cur->user_lang = $user_lang = $_POST['user_lang'];88 $cur->user_tz = $user_tz = $_POST['user_tz'];89 $cur->user_post_status = $user_post_status = $_POST['user_post_status'];82 $cur->user_name = $user_name = html::escapeHTML($_POST['user_name']); 83 $cur->user_firstname = $user_firstname = html::escapeHTML($_POST['user_firstname']); 84 $cur->user_displayname = $user_displayname = html::escapeHTML($_POST['user_displayname']); 85 $cur->user_email = $user_email = html::escapeHTML($_POST['user_email']); 86 $cur->user_url = $user_url = html::escapeHTML($_POST['user_url']); 87 $cur->user_lang = $user_lang = html::escapeHTML($_POST['user_lang']); 88 $cur->user_tz = $user_tz = html::escapeHTML($_POST['user_tz']); 89 $cur->user_post_status = $user_post_status = html::escapeHTML($_POST['user_post_status']); 90 90 91 91 if ($user_id && $cur->user_id == $core->auth->userID() && $core->auth->isSuperAdmin()) { … … 105 105 } 106 106 107 $user_options['post_format'] = $_POST['user_post_format'];107 $user_options['post_format'] = html::escapeHTML($_POST['user_post_format']); 108 108 $user_options['edit_size'] = (integer) $_POST['user_edit_size']; 109 109 -
admin/users.php
r3560 r3649 52 52 53 53 if (!empty($_GET['nb']) && (integer) $_GET['nb'] > 0) { 54 if ($nb_per_page != $_GET['nb']) {54 if ($nb_per_page != (integer) $_GET['nb']) { 55 55 $show_filters = true; 56 56 } 57 $nb_per_page = $_GET['nb'];57 $nb_per_page = (integer) $_GET['nb']; 58 58 } 59 59
Note: See TracChangeset
for help on using the changeset viewer.