Changeset 961

Timestamp:

03/04/2008 12:01:56 AM (3 years ago)

Author:

DotMG

Message:

Validating $_SESSION['redirectmessage'] before use. addslashes($this->htmlspecialchars_ent($message)) gives a sanitized string.

fixes #695

Location:

trunk

Files:

• libs/Wakka.class.php (modified) (1 diff)
• templates/header.php (modified) (1 diff)

trunk/libs/Wakka.class.php

@@ -2545 +2545 @@
         }
         /**
-         * Get a message, if one was stored before redirection.
-         *
+         * Get a message, if one was stored before redirection. 
+         * To set the message, either use {@link Wakka::SetRedirectMessage()} or the second parameter
+         * of the {@link Wakka::Redirect()} method.
+         * The message is passed transparently between {@link Wakka::SetRedirectMessage()} and 
+         * GetRedirectMessage(). It is the responsibility of any code setting and getting that 
+         * message to perform any validation against the message (quotes handling, XHTML validation, ...)
+         *
+         * @see Wakka::Redirect()
+         * @see Wakka::SetRedirectMessage()
          * @return string either the text of the message or an empty string.
          */

trunk/templates/header.php

@@ -46 +46 @@
 // get "input" variables
 $message = $this->GetRedirectMessage();
+$message = addslashes($this->htmlspecialchars_ent($message));
 
 // init output variables