Fix #250
This commit is contained in:
novgorodschi catalin
2026-06-22 12:34:31 +03:00
parent 561933b23b
commit c250a19f5a
2 changed files with 61 additions and 46 deletions
+61 -46
View File
@@ -125,53 +125,68 @@ class Profile {
private function updateLinks($post) { private function updateLinks($post) {
global $database, $session; global $database, $session;
$uid = (int)$session->uid; $uid = (int)$session->uid;
$links = []; $links = [];
// Group the row fields (nr0, id0, linkname0, linkziel0, ...) by index. // Group the row fields (nr0, id0, linkname0, linkziel0, ...) by index.
foreach ($post as $key => $value) { foreach ($post as $key => $value) {
if (!is_string($value)) { if (!is_string($value)) {
continue; continue;
} }
$value = trim($value); $value = trim($value);
if (strpos($key, 'linkname') === 0) { if (strpos($key, 'linkname') === 0) {
$links[substr($key, 8)]['name'] = mysqli_real_escape_string($database->dblink, $value); $links[substr($key, 8)]['name'] = $value;
} elseif (strpos($key, 'linkziel') === 0) { } elseif (strpos($key, 'linkziel') === 0) {
$links[substr($key, 8)]['url'] = mysqli_real_escape_string($database->dblink, $value); $links[substr($key, 8)]['url'] = $value;
} elseif (strpos($key, 'nr') === 0) { } elseif (strpos($key, 'nr') === 0) {
$links[substr($key, 2)]['nr'] = (int)$value; $links[substr($key, 2)]['nr'] = (int)$value;
} elseif (strpos($key, 'id') === 0) { } elseif (strpos($key, 'id') === 0) {
$links[substr($key, 2)]['id'] = (int)$value; $links[substr($key, 2)]['id'] = (int)$value;
} }
} }
foreach ($links as $link) { foreach ($links as $link) {
$nr = isset($link['nr']) ? (int)$link['nr'] : 0; $nr = isset($link['nr']) ? (int)$link['nr'] : 0;
$id = isset($link['id']) ? (int)$link['id'] : 0; $id = isset($link['id']) ? (int)$link['id'] : 0;
$name = isset($link['name']) ? $link['name'] : '';
$url = isset($link['url']) ? $link['url'] : '';
if ($nr !== 0 && $name !== '' && $url !== '' && $id === 0) { // --- REMOVE XSS ---
// New link. $name_raw = trim($link['name'] ?? '');
mysqli_query( $url_raw = trim($link['url'] ?? '');
$database->dblink,
"INSERT INTO `" . TB_PREFIX . "links` (`userid`, `name`, `url`, `pos`) " . // name : without HTML, maximum 30 characters (as in the game), filtered through RemoveXSS
"VALUES ($uid, '$name', '$url', $nr)" $name = $database->RemoveXSS(mb_substr(strip_tags($name_raw), 0, 30));
);
} elseif ($nr !== 0 && $name !== '' && $url !== '' && $id > 0) { // url: accepts only http/https, max 120 characters, filtered through RemoveXSS
// Update existing link (ownership enforced in the WHERE clause). $url = '';
mysqli_query( if ($url_raw !== '' && preg_match('#^https?://#i', $url_raw)) {
$database->dblink, $url = $database->RemoveXSS(mb_substr($url_raw, 0, 120));
"UPDATE `" . TB_PREFIX . "links` SET `name`='$name', `url`='$url', `pos`=$nr " . }
"WHERE `id`=$id AND `userid`=$uid"
); // SQL: escape for SQL (keeping the current TravianZ style used in TravianZ)
} elseif ($nr === 0 && $name === '' && $url === '' && $id > 0) { $name_sql = mysqli_real_escape_string($database->dblink, $name);
// Emptied row -> delete (ownership enforced in the WHERE clause). $url_sql = mysqli_real_escape_string($database->dblink, $url);
mysqli_query(
$database->dblink, if ($nr !== 0 && $name !== '' && $url !== '' && $id === 0) {
"DELETE FROM `" . TB_PREFIX . "links` WHERE `id`=$id AND `userid`=$uid" // New link.
); mysqli_query(
$database->dblink,
"INSERT INTO `" . TB_PREFIX . "links` (`userid`, `name`, `url`, `pos`) " .
"VALUES ($uid, '$name_sql', '$url_sql', $nr)"
);
} elseif ($nr !== 0 && $name !== '' && $url !== '' && $id > 0) {
// Update existing link (ownership enforced in the WHERE clause).
mysqli_query(
$database->dblink,
"UPDATE `" . TB_PREFIX . "links` SET `name`='$name_sql', `url`='$url_sql', `pos`=$nr " .
"WHERE `id`=$id AND `userid`=$uid"
);
} elseif ($nr === 0 && $name === '' && $url === '' && $id > 0) {
// Emptied row -> delete (ownership enforced in the WHERE clause).
mysqli_query(
$database->dblink,
"DELETE FROM `" . TB_PREFIX . "links` WHERE `id`=$id AND `userid`=$uid"
);
} }
} }
} }
@@ -204,9 +219,9 @@ class Profile {
$birthday = preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $birthday) ? $birthday : '0'; $birthday = preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $birthday) ? $birthday : '0';
$mw = (int)($post['mw'] ?? 0); $mw = (int)($post['mw'] ?? 0);
$ort = trim($post['ort'] ?? ''); $ort = $database->RemoveXSS(trim($post['ort'] ?? ''));
$be2 = trim($post['be2'] ?? ''); // descrierea stânga $be1 = $database->RemoveXSS(trim($post['be1'] ?? '')); // right description
$be1 = trim($post['be1'] ?? ''); // descrierea dreapta $be2 = $database->RemoveXSS(trim($post['be2'] ?? '')); // left description
$database->submitProfile($session->uid, $mw, $ort, $birthday, $be2, $be1); $database->submitProfile($session->uid, $mw, $ort, $birthday, $be2, $be1);
Binary file not shown.

After

Width:  |  Height:  |  Size: 455 KiB