diff options
author | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-11-22 02:15:03 +0000 |
---|---|---|
committer | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-11-22 02:15:03 +0000 |
commit | bf341b8a6164dad70ce289862bff828782c68213 (patch) | |
tree | cfb6f49637bb4f19fed89d0d4190c9f29020b876 /mod/bookmarks/actions/add.php | |
parent | f2b91ade6ba9dfae5926015074d9e500484055b1 (diff) | |
download | elgg-bf341b8a6164dad70ce289862bff828782c68213.tar.gz elgg-bf341b8a6164dad70ce289862bff828782c68213.tar.bz2 |
Merged bookmarks XSS fixes in r7406 to trunk.
git-svn-id: http://code.elgg.org/elgg/trunk@7410 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'mod/bookmarks/actions/add.php')
-rw-r--r-- | mod/bookmarks/actions/add.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/mod/bookmarks/actions/add.php b/mod/bookmarks/actions/add.php index e633244c1..60859f90f 100644 --- a/mod/bookmarks/actions/add.php +++ b/mod/bookmarks/actions/add.php @@ -20,6 +20,14 @@ if (!$title || !$address) { forward(REFERER); } +// don't allow malicious code. +// put this in a context of a link so HTMLawed knows how to filter correctly. +$xss_test = "<a href=\"$address\"></a>"; +if ($xss_test != filter_tags($xss_test)) { + register_error(elgg_echo('bookmarks:save:failed')); + forward(REFERER); +} + //create a new bookmark object $entity = new ElggObject; $entity->subtype = "bookmarks"; |