From 375422c132e32f94228811edb9c2459c479a9a06 Mon Sep 17 00:00:00 2001 From: novgorodschi catalin Date: Fri, 3 Jul 2026 10:48:21 +0300 Subject: [PATCH] Fix (vulnerability) Stored Cross-Site Scripting (XSS) in Admin Mass Message Tool Fix (vulnerability) Stored Cross-Site Scripting (XSS) in Admin Mass Message Tool --- GameEngine/Admin/Mods/massmessage.php | 90 ++++++++++++++++++++++----- 1 file changed, 74 insertions(+), 16 deletions(-) diff --git a/GameEngine/Admin/Mods/massmessage.php b/GameEngine/Admin/Mods/massmessage.php index 094f0206..3006747a 100644 --- a/GameEngine/Admin/Mods/massmessage.php +++ b/GameEngine/Admin/Mods/massmessage.php @@ -47,7 +47,23 @@ if ( $_SESSION['mass_subject'] = trim($_POST['subject']); $_SESSION['mass_message'] = trim($_POST['message']); - $_SESSION['mass_color'] = trim($_POST['color']); + $allowedColors = array( + 'black', + 'red', + 'green', + 'blue', + 'orange', + 'purple', + 'brown' + ); + + $color = strtolower(trim($_POST['color'])); + + if (!in_array($color, $allowedColors, true)) { + $color = 'black'; + } + + $_SESSION['mass_color'] = $color; header("Location: ../../../Admin/admin.php?p=massmessage&confirm=1"); exit; @@ -83,23 +99,65 @@ if ( |-------------------------------------------------------------------------- */ - $message = preg_replace( - "/\[img\](.*?)\[\/img\]/i", - "", - $message - ); + $message = preg_replace_callback( + "/\[img\](.*?)\[\/img\]/is", + function ($m) { - $message = preg_replace( - "/\[url\](.*?)\[\/url\]/i", - "$1", - $message - ); + $url = trim($m[1]); - $message = preg_replace( - "/\[url=(.*?)\](.*?)\[\/url\]/i", - "$2", - $message - ); + if (!preg_match('#^https?://#i', $url)) { + return ''; + } + + $safe = htmlspecialchars($url, ENT_QUOTES, 'UTF-8'); + + return ''; + }, + $message + ); + + $message = preg_replace_callback( + "/\[url\](.*?)\[\/url\]/is", + function ($m) { + + $url = trim($m[1]); + + if (!preg_match('#^https?://#i', $url)) { + return htmlspecialchars($url, ENT_QUOTES, 'UTF-8'); + } + + $safe = htmlspecialchars($url, ENT_QUOTES, 'UTF-8'); + + return '' . + $safe . + ''; + }, + $message + ); + + $message = preg_replace_callback( + "/\[url=(.*?)\](.*?)\[\/url\]/is", + function ($m) { + + $url = trim($m[1]); + $text = htmlspecialchars($m[2], ENT_QUOTES, 'UTF-8'); + + if (!preg_match('#^https?://#i', $url)) { + return $text; + } + + $safe = htmlspecialchars($url, ENT_QUOTES, 'UTF-8'); + + return '' . + $text . + ''; + }, + $message + ); $message = "[message]".$message."[/message]";