fix(profile): store profile descriptions raw to stop double-escaping (#273)

This commit is contained in:
Ferywir
2026-06-24 05:51:24 +02:00
committed by GitHub
parent c0bbf2bfbe
commit d0479a55ce
2 changed files with 15 additions and 15 deletions
+8 -12
View File
@@ -65,25 +65,21 @@ $email = $database->escape($email);
$tribe = max(1, min(5, (int)($_POST['tribe'] ?? 1)));
// BUG-3: store location/descriptions raw. escape() keeps the interpolated UPDATE
// SQL-safe and strip_tags() drops markup; every display site (player.tpl,
// playerinfo.tpl, editUser.tpl) escapes with htmlspecialchars(), so the extra
// RemoveXSS() here only double-escaped the stored value (literal " entities).
$location_raw = trim($_POST['location'] ?? '');
$location = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($location_raw), 0, 50))
);
$location = $database->escape(mb_substr(strip_tags($location_raw), 0, 50));
$desc1_raw = $_POST['desc1'] ?? '';
$desc1 = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000))
);
$desc1 = $database->escape(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000));
$desc2_raw = $_POST['desc2'] ?? '';
$desc2 = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000))
);
$desc2 = $database->escape(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000));
$quest_raw = trim($_POST['quest'] ?? '');
$quest = $database->escape(
$database->RemoveXSS(mb_substr(strip_tags($quest_raw), 0, 200))
);
$quest = $database->escape(mb_substr(strip_tags($quest_raw), 0, 200));
// ---------------------------------------------------------------------------
// Update
+7 -3
View File
@@ -219,9 +219,13 @@ class Profile {
$birthday = preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $birthday) ? $birthday : '0';
$mw = (int)($post['mw'] ?? 0);
$ort = $database->RemoveXSS(trim($post['ort'] ?? ''));
$be1 = $database->RemoveXSS(trim($post['be1'] ?? '')); // right description
$be2 = $database->RemoveXSS(trim($post['be2'] ?? '')); // left description
// BUG-3: store the location/descriptions raw. submitProfile() uses a prepared
// statement (SQL-safe) and every display site escapes with htmlspecialchars()
// before rendering BBCode, so RemoveXSS() here only double-escaped the data
// (baked-in backslashes from its SQL escape + literal &quot; entities).
$ort = trim($post['ort'] ?? '');
$be1 = trim($post['be1'] ?? ''); // right description
$be2 = trim($post['be2'] ?? ''); // left description
$database->submitProfile($session->uid, $mw, $ort, $birthday, $be2, $be1);