From bf341b8a6164dad70ce289862bff828782c68213 Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Mon, 22 Nov 2010 02:15:03 +0000
Subject: Merged bookmarks XSS fixes in r7406 to trunk.

git-svn-id: http://code.elgg.org/elgg/trunk@7410 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 mod/bookmarks/actions/add.php                    | 8 ++++++++
 mod/bookmarks/views/default/object/bookmarks.php | 8 ++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'mod/bookmarks')

diff --git a/mod/bookmarks/actions/add.php b/mod/bookmarks/actions/add.php
index e633244c1..60859f90f 100644
--- a/mod/bookmarks/actions/add.php
+++ b/mod/bookmarks/actions/add.php
@@ -20,6 +20,14 @@ if (!$title || !$address) {
 	forward(REFERER);
 }
 
+// don't allow malicious code.
+// put this in a context of a link so HTMLawed knows how to filter correctly.
+$xss_test = "<a href=\"$address\"></a>";
+if ($xss_test != filter_tags($xss_test)) {
+	register_error(elgg_echo('bookmarks:save:failed'));
+	forward(REFERER);
+}
+
 //create a new bookmark object
 $entity = new ElggObject;
 $entity->subtype = "bookmarks";
diff --git a/mod/bookmarks/views/default/object/bookmarks.php b/mod/bookmarks/views/default/object/bookmarks.php
index aa4874610..09d91a3c3 100644
--- a/mod/bookmarks/views/default/object/bookmarks.php
+++ b/mod/bookmarks/views/default/object/bookmarks.php
@@ -15,6 +15,10 @@ if (!$title = $vars['entity']->title) {
 	$title = elgg_echo('bookmarks:no_title');
 }
 
+$a_tag_visit = filter_tags("<a href=\"{$address}\">" . elgg_echo('bookmarks:visit') . "</a>");
+$a_tag_title = filter_tags("<a href=\"{$address}\">$title</a>");
+
+
 $parsed_url = parse_url($address);
 $faviconurl = $parsed_url['scheme'] . "://" . $parsed_url['host'] . "/favicon.ico";
 
@@ -76,7 +80,7 @@ if($vars['entity']->canEdit()){
 
 	$info .= "</div>";
 
-$info .= "<p class='entity_title'><a href=\"{$address}\" target=\"_blank\">{$title}</a></p>";
+$info .= "<p class='entity_title'>$a_tag_title</p>";
 $info .= "<p class='entity_subtext'>Bookmarked by <a href=\"".elgg_get_site_url()."pg/bookmarks/{$owner->username}\">{$owner->name}</a> {$friendlytime} {$view_notes}</p>";
 
 $tags = elgg_view('output/tags', array('tags' => $vars['entity']->tags));
@@ -88,4 +92,4 @@ if($view_notes != ''){
 }
 
 //display
-echo elgg_view_listing($icon, $info);
\ No newline at end of file
+echo elgg_view_listing($icon, $info);
-- 
cgit v1.2.3