Author Topic: Security Fix: Memebers/composeMsg.php & Members/contact.php  (Read 825 times)

0 Members and 1 Guest are viewing this topic.

Offline 757jterrell

  • Hero Member
  • *****
  • Posts: 1637
    • View Profile
    • PTC Factory
This will prevent an xss attack on these pages. These 2 pages that are almost the exact same.

This is included in the SDR 3, 8-1-11 Update.

Members/composeMsg.php,  go to line 84 to 86 and you will see this set of codes:

<tr>
   <td colspan=2><textarea name=\"message\" style=\"width: 100%; height: 200px\">$messages</textarea></td>
</tr>

Change the middle line to look like this:

<tr>
   <td colspan=2><textarea name=\"message\" style=\"width: 100%; height: 200px\">". htmlspecialchars($message, ENT_QUOTES)."</textarea></td>
</tr>

Now lets do the other page, go to your members/contact.php and go to lines 84 to 86 were you see this set of codes:

<tr>
   <td colspan=2><textarea name=\"message\" style=\"width: 100%; height: 200px\">$messages</textarea></td>
</tr>

Change the middle line to look like this:

<tr>
   <td colspan=2><textarea name=\"message\" style=\"width: 100%; height: 200px\">". htmlspecialchars($message, ENT_QUOTES)."</textarea></td>
</tr>


Also on both pages add the following:

after $includes[title]="Compose Message";
ADD:
$error = '';
« Last Edit: July 31, 2011, 07:34:36 AM by 757jterrell »

Offline chicoi08

  • Full Member
  • ***
  • Posts: 244
    • View Profile
    • BuxOverFlow
Re: Security Fix: Memebers/composeMsg.php & Members/contact.php
« Reply #1 on: July 30, 2011, 06:00:37 PM »
Thank you for posting!