fix XSS уязвимость

2024-05-19 01:08:19 +03:00 · 2011-08-28 19:23:28 +00:00 · 2011-08-28 19:23:28 +00:00 · b9fca12633
parent 0a5eaa2713
commit b9fca12633
4 changed files with 28 additions and 28 deletions
--- a/classes/actions/ActionBlog.class.php
+++ b/classes/actions/ActionBlog.class.php
@ -80,7 +80,7 @@ class ActionBlog extends Action {
 	 *
 	 * @var unknown_type
 	 */
-	protected $aBadBlogUrl=array('new','good','bad','edit','add','admin','delete','invite','ajaxaddcomment','ajaxaddbloginvite');
+	protected $aBadBlogUrl=array('new','good','bad','edit','add','admin','delete','invite','ajaxaddcomment','ajaxaddbloginvite','ajaxresponsecomment','ajaxrebloginvite','ajaxbloginfo','ajaxblogjoin');

 	/**
 	 * Инизиализация экшена
@ -1195,8 +1195,8 @@ class ActionBlog extends Action {
 				$aResult[]=array(
 					'bStateError'=>true,
 					'sMsgTitle'=>$this->Lang_Get('error'),
-					'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>$sUser)),
-					'sUserLogin'=>$sUser
+					'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>htmlspecialchars($sUser))),
+					'sUserLogin'=>htmlspecialchars($sUser)
 				);
 				continue;
 			}
@ -1214,8 +1214,8 @@ class ActionBlog extends Action {
 					$aResult[]=array(
 						'bStateError'=>false,
 						'sMsgTitle'=>$this->Lang_Get('attention'),
-						'sMsg'=>$this->Lang_Get('blog_user_invite_add_ok',array('login'=>$sUser)),
-						'sUserLogin'=>$sUser,
+						'sMsg'=>$this->Lang_Get('blog_user_invite_add_ok',array('login'=>htmlspecialchars($sUser))),
+						'sUserLogin'=>htmlspecialchars($sUser),
 						'sUserWebPath'=>$oUser->getUserWebPath()
 					);
 					$this->SendBlogInvite($oBlog,$oUser);
@ -1224,7 +1224,7 @@ class ActionBlog extends Action {
 						'bStateError'=>true,
 						'sMsgTitle'=>$this->Lang_Get('error'),
 						'sMsg'=>$this->Lang_Get('system_error'),
-						'sUserLogin'=>$sUser
+						'sUserLogin'=>htmlspecialchars($sUser)
 					);
 				}
 			} else {
@ -1234,13 +1234,13 @@ class ActionBlog extends Action {
 				 */
 				switch (true) {
 					case ($aBlogUsers[$oUser->getId()]->getUserRole()==ModuleBlog::BLOG_USER_ROLE_INVITE):
-						$sErrorMessage=$this->Lang_Get('blog_user_already_invited',array('login'=>$sUser));
+						$sErrorMessage=$this->Lang_Get('blog_user_already_invited',array('login'=>htmlspecialchars($sUser)));
 						break;
 					case ($aBlogUsers[$oUser->getId()]->getUserRole()>ModuleBlog::BLOG_USER_ROLE_GUEST):
-						$sErrorMessage=$this->Lang_Get('blog_user_already_exists',array('login'=>$sUser));
+						$sErrorMessage=$this->Lang_Get('blog_user_already_exists',array('login'=>htmlspecialchars($sUser)));
 						break;
 					case ($aBlogUsers[$oUser->getId()]->getUserRole()==ModuleBlog::BLOG_USER_ROLE_REJECT):
-						$sErrorMessage=$this->Lang_Get('blog_user_already_reject',array('login'=>$sUser));
+						$sErrorMessage=$this->Lang_Get('blog_user_already_reject',array('login'=>htmlspecialchars($sUser)));
 						break;
 					default:
 						$sErrorMessage=$this->Lang_Get('system_error');
@ -1249,7 +1249,7 @@ class ActionBlog extends Action {
 					'bStateError'=>true,
 					'sMsgTitle'=>$this->Lang_Get('error'),
 					'sMsg'=>$sErrorMessage,
-					'sUserLogin'=>$sUser
+					'sUserLogin'=>htmlspecialchars($sUser)
 				);
 				continue;
 			}
--- a/classes/actions/ActionStream.class.php
+++ b/classes/actions/ActionStream.class.php
@ -164,7 +164,7 @@ class ActionStream extends Action {
 		 */
 		$oUser = $this->User_getUserByLogin(getRequest('login'));
 		if (!$oUser) {
-			$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>getRequest('login'))),$this->Lang_Get('error'));
+			$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>htmlspecialchars(getRequest('login')))),$this->Lang_Get('error'));
 			return;
 		}
 		if ($this->oUserCurrent->getId() == $oUser->getId()) {
--- a/classes/actions/ActionTalk.class.php
+++ b/classes/actions/ActionTalk.class.php
@ -393,7 +393,7 @@ class ActionTalk extends Action {
 						str_replace(
 							'login',
 							$oUser->getLogin(),
-							$this->Lang_Get('talk_user_in_blacklist',array('login'=>$oUser->getLogin()))
+							$this->Lang_Get('talk_user_in_blacklist',array('login'=>htmlspecialchars($oUser->getLogin())))
 						),
 						$this->Lang_Get('error')
 					);
@ -642,16 +642,16 @@ class ActionTalk extends Action {
 						$aResult[]=array(
 							'bStateError'=>false,
 							'sMsgTitle'=>$this->Lang_Get('attention'),
-							'sMsg'=>$this->Lang_Get('talk_blacklist_add_ok',array('login'=>$sUser)),
+							'sMsg'=>$this->Lang_Get('talk_blacklist_add_ok',array('login'=>htmlspecialchars($sUser))),
 							'sUserId'=>$oUser->getId(),
-							'sUserLogin'=>$sUser
+							'sUserLogin'=>htmlspecialchars($sUser)
 						);
 					} else {
 						$aResult[]=array(
 							'bStateError'=>true,
 							'sMsgTitle'=>$this->Lang_Get('error'),
 							'sMsg'=>$this->Lang_Get('system_error'),
-							'sUserLogin'=>$sUser
+							'sUserLogin'=>htmlspecialchars($sUser)
 						);					
 					}
 				} else {
@ -660,8 +660,8 @@ class ActionTalk extends Action {
 					$aResult[]=array(
 						'bStateError'=>true,
 						'sMsgTitle'=>$this->Lang_Get('error'),
-						'sMsg'=>$this->Lang_Get('talk_blacklist_user_already_have',array('login'=>$sUser)),
-						'sUserLogin'=>$sUser
+						'sMsg'=>$this->Lang_Get('talk_blacklist_user_already_have',array('login'=>htmlspecialchars($sUser))),
+						'sUserLogin'=>htmlspecialchars($sUser)
 					);
 					continue;
 				}
@ -669,8 +669,8 @@ class ActionTalk extends Action {
 				$aResult[]=array(
 					'bStateError'=>true,
 					'sMsgTitle'=>$this->Lang_Get('error'),
-					'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>$sUser)),
-					'sUserLogin'=>$sUser
+					'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>htmlspecialchars($sUser))),
+					'sUserLogin'=>htmlspecialchars($sUser)
 				);
 			}					
 		}
@ -700,7 +700,7 @@ class ActionTalk extends Action {
 		// Если пользователь не существуем, возращаем ошибку
 		if (!$oUserTarget=$this->User_GetUserById($idTarget)) {
 			$this->Message_AddErrorSingle(
-				$this->Lang_Get('user_not_found_by_id',array('id'=>$idTarget)),
+				$this->Lang_Get('user_not_found_by_id',array('id'=>htmlspecialchars($idTarget))),
 				$this->Lang_Get('error')				
 			);
 			return;				
@ -762,7 +762,7 @@ class ActionTalk extends Action {
 		// возвращаем ошибку
 		if (!$oUserTarget=$this->User_GetUserById($idTarget)) {
 			$this->Message_AddErrorSingle(
-				$this->Lang_Get('user_not_found_by_id',array('id'=>$idTarget)),
+				$this->Lang_Get('user_not_found_by_id',array('id'=>htmlspecialchars($idTarget))),
 				$this->Lang_Get('error')				
 			);
 			return;				
@ -890,7 +890,7 @@ class ActionTalk extends Action {
 									$aResult[]=array(
 										'bStateError'=>false,
 										'sMsgTitle'=>$this->Lang_Get('attention'),
-										'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',$sUser)),
+										'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',htmlspecialchars($sUser))),
 										'sUserId'=>$oUser->getId(),
 										'sUserLogin'=>$oUser->getLogin(),
 										'sUserLink'=>$oUser->getUserWebPath()
@ -910,7 +910,7 @@ class ActionTalk extends Action {
 								$aResult[]=array(
 									'bStateError'=>true,
 									'sMsgTitle'=>$this->Lang_Get('error'),
-									'sMsg'=>$this->Lang_Get('talk_speaker_user_already_exist',array('login'=>$sUser))
+									'sMsg'=>$this->Lang_Get('talk_speaker_user_already_exist',array('login'=>htmlspecialchars($sUser)))
 								);								
 								break;
 							// Если пользователь удалил себя из разговора самостоятельно,
@ -919,7 +919,7 @@ class ActionTalk extends Action {
 								$aResult[]=array(
 									'bStateError'=>true,
 									'sMsgTitle'=>$this->Lang_Get('error'),
-									'sMsg'=>$this->Lang_Get('talk_speaker_delete_by_self',array('login'=>$sUser))
+									'sMsg'=>$this->Lang_Get('talk_speaker_delete_by_self',array('login'=>htmlspecialchars($sUser)))
 								);								
 								break;
 							
@ -946,7 +946,7 @@ class ActionTalk extends Action {
 							$aResult[]=array(
 								'bStateError'=>false,
 								'sMsgTitle'=>$this->Lang_Get('attention'),
-								'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',$sUser)),
+								'sMsg'=>$this->Lang_Get('talk_speaker_add_ok',array('login',htmlspecialchars($sUser))),
 								'sUserId'=>$oUser->getId(),
 								'sUserLogin'=>$oUser->getLogin(),
 								'sUserLink'=>$oUser->getUserWebPath()	
@ -964,7 +964,7 @@ class ActionTalk extends Action {
 					$aResult[]=array(
 						'bStateError'=>true,
 						'sMsgTitle'=>$this->Lang_Get('error'),
-						'sMsg'=>$this->Lang_Get('talk_user_in_blacklist',array('login'=>$sUser))
+						'sMsg'=>$this->Lang_Get('talk_user_in_blacklist',array('login'=>htmlspecialchars($sUser)))
 					);						
 				}
 			} else {
@ -972,7 +972,7 @@ class ActionTalk extends Action {
 				$aResult[]=array(
 					'bStateError'=>true,
 					'sMsgTitle'=>$this->Lang_Get('error'),
-					'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>$sUser))
+					'sMsg'=>$this->Lang_Get('user_not_found',array('login'=>htmlspecialchars($sUser)))
 				);
 			}	
 		}
--- a/classes/actions/ActionUserfeed.class.php
+++ b/classes/actions/ActionUserfeed.class.php
@ -165,7 +165,7 @@ class ActionUserfeed extends Action {
 		 */
 		$oUser = $this->User_getUserByLogin(getRequest('login'));
 		if (!$oUser) {
-			$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>getRequest('login'))),$this->Lang_Get('error'));
+			$this->Message_AddError($this->Lang_Get('user_not_found',array('login'=>htmlspecialchars(getRequest('login')))),$this->Lang_Get('error'));
 			return;
 		}
 		/**