mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-12 23:56:08 +00:00
fix(profile): store profile descriptions raw to stop double-escaping (#273)
This commit is contained in:
@@ -65,25 +65,21 @@ $email = $database->escape($email);
|
||||
|
||||
$tribe = max(1, min(5, (int)($_POST['tribe'] ?? 1)));
|
||||
|
||||
// BUG-3: store location/descriptions raw. escape() keeps the interpolated UPDATE
|
||||
// SQL-safe and strip_tags() drops markup; every display site (player.tpl,
|
||||
// playerinfo.tpl, editUser.tpl) escapes with htmlspecialchars(), so the extra
|
||||
// RemoveXSS() here only double-escaped the stored value (literal " entities).
|
||||
$location_raw = trim($_POST['location'] ?? '');
|
||||
$location = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($location_raw), 0, 50))
|
||||
);
|
||||
$location = $database->escape(mb_substr(strip_tags($location_raw), 0, 50));
|
||||
|
||||
$desc1_raw = $_POST['desc1'] ?? '';
|
||||
$desc1 = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000))
|
||||
);
|
||||
$desc1 = $database->escape(mb_substr(strip_tags($desc1_raw, '<b><i><u><br>'), 0, 5000));
|
||||
|
||||
$desc2_raw = $_POST['desc2'] ?? '';
|
||||
$desc2 = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000))
|
||||
);
|
||||
$desc2 = $database->escape(mb_substr(strip_tags($desc2_raw, '<b><i><u><br>'), 0, 5000));
|
||||
|
||||
$quest_raw = trim($_POST['quest'] ?? '');
|
||||
$quest = $database->escape(
|
||||
$database->RemoveXSS(mb_substr(strip_tags($quest_raw), 0, 200))
|
||||
);
|
||||
$quest = $database->escape(mb_substr(strip_tags($quest_raw), 0, 200));
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Update
|
||||
|
||||
Reference in New Issue
Block a user