mirror of
https://github.com/Oreolek/ifhub.club.git
synced 2024-05-19 01:08:19 +03:00
fix XSS уязвимость
This commit is contained in:
parent
0a5eaa2713
commit
b9fca12633
|
@ -80,7 +80,7 @@ class ActionBlog extends Action {
|
|||
*
|
||||
* @var unknown_type
|
||||
*/
|
||||
protected $aBadBlogUrl=array('new','good','bad','edit','add','admin','delete','invite','ajaxaddcomment','ajaxaddbloginvite');
|
||||
protected $aBadBlogUrl=array('new','good','bad','edit','add','admin','delete','invite','ajaxaddcomment','ajaxaddbloginvite','ajaxresponsecomment','ajaxrebloginvite','ajaxbloginfo','ajaxblogjoin');
|
||||
|
||||
/**
|
||||
* Инизиализация экшена
|
||||
|
@ -1195,8 +1195,8 @@ class ActionBlog extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>$sUser)),
|
||||
'sUserLogin'=>$sUser
|
||||
'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>htmlspecialchars($sUser))),
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
@ -1214,8 +1214,8 @@ class ActionBlog extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>false,
|
||||
'sMsgTitle'=>$this->Lang_Get('attention'),
|
||||
'sMsg'=>$this->Lang_Get('blog_user_invite_add_ok',array('login'=>$sUser)),
|
||||
'sUserLogin'=>$sUser,
|
||||
'sMsg'=>$this->Lang_Get('blog_user_invite_add_ok',array('login'=>htmlspecialchars($sUser))),
|
||||
'sUserLogin'=>htmlspecialchars($sUser),
|
||||
'sUserWebPath'=>$oUser->getUserWebPath()
|
||||
);
|
||||
$this->SendBlogInvite($oBlog,$oUser);
|
||||
|
@ -1224,7 +1224,7 @@ class ActionBlog extends Action {
|
|||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('system_error'),
|
||||
'sUserLogin'=>$sUser
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
}
|
||||
} else {
|
||||
|
@ -1234,13 +1234,13 @@ class ActionBlog extends Action {
|
|||
*/
|
||||
switch (true) {
|
||||
case ($aBlogUsers[$oUser->getId()]->getUserRole()==ModuleBlog::BLOG_USER_ROLE_INVITE):
|
||||
$sErrorMessage=$this->Lang_Get('blog_user_already_invited',array('login'=>$sUser));
|
||||
$sErrorMessage=$this->Lang_Get('blog_user_already_invited',array('login'=>htmlspecialchars($sUser)));
|
||||
break;
|
||||
case ($aBlogUsers[$oUser->getId()]->getUserRole()>ModuleBlog::BLOG_USER_ROLE_GUEST):
|
||||
$sErrorMessage=$this->Lang_Get('blog_user_already_exists',array('login'=>$sUser));
|
||||
$sErrorMessage=$this->Lang_Get('blog_user_already_exists',array('login'=>htmlspecialchars($sUser)));
|
||||
break;
|
||||
case ($aBlogUsers[$oUser->getId()]->getUserRole()==ModuleBlog::BLOG_USER_ROLE_REJECT):
|
||||
$sErrorMessage=$this->Lang_Get('blog_user_already_reject',array('login'=>$sUser));
|
||||
$sErrorMessage=$this->Lang_Get('blog_user_already_reject',array('login'=>htmlspecialchars($sUser)));
|
||||
break;
|
||||
default:
|
||||
$sErrorMessage=$this->Lang_Get('system_error');
|
||||
|
@ -1249,7 +1249,7 @@ class ActionBlog extends Action {
|
|||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$sErrorMessage,
|
||||
'sUserLogin'=>$sUser
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
|
|
@ -164,7 +164,7 @@ class ActionStream extends Action {
|
|||
*/
|
||||
$oUser = $this->User_getUserByLogin(getRequest('login'));
|
||||
if (!$oUser) {
|
||||
$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>getRequest('login'))),$this->Lang_Get('error'));
|
||||
$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>htmlspecialchars(getRequest('login')))),$this->Lang_Get('error'));
|
||||
return;
|
||||
}
|
||||
if ($this->oUserCurrent->getId() == $oUser->getId()) {
|
||||
|
|
|
@ -393,7 +393,7 @@ class ActionTalk extends Action {
|
|||
str_replace(
|
||||
'login',
|
||||
$oUser->getLogin(),
|
||||
$this->Lang_Get('talk_user_in_blacklist',array('login'=>$oUser->getLogin()))
|
||||
$this->Lang_Get('talk_user_in_blacklist',array('login'=>htmlspecialchars($oUser->getLogin())))
|
||||
),
|
||||
$this->Lang_Get('error')
|
||||
);
|
||||
|
@ -642,16 +642,16 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>false,
|
||||
'sMsgTitle'=>$this->Lang_Get('attention'),
|
||||
'sMsg'=>$this->Lang_Get('talk_blacklist_add_ok',array('login'=>$sUser)),
|
||||
'sMsg'=>$this->Lang_Get('talk_blacklist_add_ok',array('login'=>htmlspecialchars($sUser))),
|
||||
'sUserId'=>$oUser->getId(),
|
||||
'sUserLogin'=>$sUser
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
} else {
|
||||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('system_error'),
|
||||
'sUserLogin'=>$sUser
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
}
|
||||
} else {
|
||||
|
@ -660,8 +660,8 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('talk_blacklist_user_already_have',array('login'=>$sUser)),
|
||||
'sUserLogin'=>$sUser
|
||||
'sMsg'=>$this->Lang_Get('talk_blacklist_user_already_have',array('login'=>htmlspecialchars($sUser))),
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
@ -669,8 +669,8 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>$sUser)),
|
||||
'sUserLogin'=>$sUser
|
||||
'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>htmlspecialchars($sUser))),
|
||||
'sUserLogin'=>htmlspecialchars($sUser)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
@ -700,7 +700,7 @@ class ActionTalk extends Action {
|
|||
// Если пользователь не существуем, возращаем ошибку
|
||||
if (!$oUserTarget=$this->User_GetUserById($idTarget)) {
|
||||
$this->Message_AddErrorSingle(
|
||||
$this->Lang_Get('user_not_found_by_id',array('id'=>$idTarget)),
|
||||
$this->Lang_Get('user_not_found_by_id',array('id'=>htmlspecialchars($idTarget))),
|
||||
$this->Lang_Get('error')
|
||||
);
|
||||
return;
|
||||
|
@ -762,7 +762,7 @@ class ActionTalk extends Action {
|
|||
// возвращаем ошибку
|
||||
if (!$oUserTarget=$this->User_GetUserById($idTarget)) {
|
||||
$this->Message_AddErrorSingle(
|
||||
$this->Lang_Get('user_not_found_by_id',array('id'=>$idTarget)),
|
||||
$this->Lang_Get('user_not_found_by_id',array('id'=>htmlspecialchars($idTarget))),
|
||||
$this->Lang_Get('error')
|
||||
);
|
||||
return;
|
||||
|
@ -890,7 +890,7 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>false,
|
||||
'sMsgTitle'=>$this->Lang_Get('attention'),
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',$sUser)),
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',htmlspecialchars($sUser))),
|
||||
'sUserId'=>$oUser->getId(),
|
||||
'sUserLogin'=>$oUser->getLogin(),
|
||||
'sUserLink'=>$oUser->getUserWebPath()
|
||||
|
@ -910,7 +910,7 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_user_already_exist',array('login'=>$sUser))
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_user_already_exist',array('login'=>htmlspecialchars($sUser)))
|
||||
);
|
||||
break;
|
||||
// Если пользователь удалил себя из разговора самостоятельно,
|
||||
|
@ -919,7 +919,7 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_delete_by_self',array('login'=>$sUser))
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_delete_by_self',array('login'=>htmlspecialchars($sUser)))
|
||||
);
|
||||
break;
|
||||
|
||||
|
@ -946,7 +946,7 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>false,
|
||||
'sMsgTitle'=>$this->Lang_Get('attention'),
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',$sUser)),
|
||||
'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',htmlspecialchars($sUser))),
|
||||
'sUserId'=>$oUser->getId(),
|
||||
'sUserLogin'=>$oUser->getLogin(),
|
||||
'sUserLink'=>$oUser->getUserWebPath()
|
||||
|
@ -964,7 +964,7 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('talk_user_in_blacklist',array('login'=>$sUser))
|
||||
'sMsg'=>$this->Lang_Get('talk_user_in_blacklist',array('login'=>htmlspecialchars($sUser)))
|
||||
);
|
||||
}
|
||||
} else {
|
||||
|
@ -972,7 +972,7 @@ class ActionTalk extends Action {
|
|||
$aResult[]=array(
|
||||
'bStateError'=>true,
|
||||
'sMsgTitle'=>$this->Lang_Get('error'),
|
||||
'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>$sUser))
|
||||
'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>htmlspecialchars($sUser)))
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -165,7 +165,7 @@ class ActionUserfeed extends Action {
|
|||
*/
|
||||
$oUser = $this->User_getUserByLogin(getRequest('login'));
|
||||
if (!$oUser) {
|
||||
$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>getRequest('login'))),$this->Lang_Get('error'));
|
||||
$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>htmlspecialchars(getRequest('login')))),$this->Lang_Get('error'));
|
||||
return;
|
||||
}
|
||||
/**
|
||||
|
|
Loading…
Reference in a new issue