mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-15 09:06:08 +00:00
fix(profile): store profile descriptions raw to stop double-escaping (#273)
This commit is contained in:
@@ -65,25 +65,21 @@ $email = $database->escape($email);
|
||||
|
||||
$tribe = max(1, min(5, (int)($_POST['tribe'] ?? 1)));
|
||||
|
||||
// BUG-3: store location/descriptions raw. escape() keeps the interpolated UPDATE
|
||||
// SQL-safe and strip_tags() drops markup; every display site (player.tpl,
|
||||
// playerinfo.tpl, editUser.tpl) escapes with htmlspecialchars(), so the extra
|
||||
// RemoveXSS() here only double-escaped the stored value (literal " entities).
|
||||
$location_raw = trim($_POST['location'] ?? '');
|
||||
$location = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($location_raw), 0, 50))
|
||||
);
|
||||
$location = $database->escape(mb_substr(strip_tags($location_raw), 0, 50));
|
||||
|
||||
$desc1_raw = $_POST['desc1'] ?? '';
|
||||
$desc1 = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000))
|
||||
);
|
||||
$desc1 = $database->escape(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000));
|
||||
|
||||
$desc2_raw = $_POST['desc2'] ?? '';
|
||||
$desc2 = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000))
|
||||
);
|
||||
$desc2 = $database->escape(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000));
|
||||
|
||||
$quest_raw = trim($_POST['quest'] ?? '');
|
||||
$quest = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($quest_raw), 0, 200))
|
||||
);
|
||||
$quest = $database->escape(mb_substr(strip_tags($quest_raw), 0, 200));
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Update
|
||||
|
||||
@@ -219,9 +219,13 @@ class Profile {
|
||||
$birthday = preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $birthday) ? $birthday : '0';
|
||||
|
||||
$mw = (int)($post['mw'] ?? 0);
|
||||
$ort = $database->RemoveXSS(trim($post['ort'] ?? ''));
|
||||
$be1 = $database->RemoveXSS(trim($post['be1'] ?? '')); // right description
|
||||
$be2 = $database->RemoveXSS(trim($post['be2'] ?? '')); // left description
|
||||
// BUG-3: store the location/descriptions raw. submitProfile() uses a prepared
|
||||
// statement (SQL-safe) and every display site escapes with htmlspecialchars()
|
||||
// before rendering BBCode, so RemoveXSS() here only double-escaped the data
|
||||
// (baked-in backslashes from its SQL escape + literal " entities).
|
||||
$ort = trim($post['ort'] ?? '');
|
||||
$be1 = trim($post['be1'] ?? ''); // right description
|
||||
$be2 = trim($post['be2'] ?? ''); // left description
|
||||
|
||||
$database->submitProfile($session->uid, $mw, $ort, $birthday, $be2, $be1);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user