SECURITY: Multiple XSS in Special:ChangeStyle. Reported by Mesut Timur of Mavituna Security - thanks!
--- a/plugins/SpecialUserFuncs.php Mon Dec 28 16:52:41 2009 -0500
+++ b/plugins/SpecialUserFuncs.php Mon Jun 28 11:00:51 2010 -0400
@@ -929,15 +929,15 @@
foreach($template->theme_list as $t) {
if($t['enabled'])
{
- echo '<option value="'.$t['theme_id'].'"';
+ echo '<option value="'.htmlspecialchars($t['theme_id']).'"';
if($t['theme_id'] == $session->theme) echo ' selected="selected"';
- echo '>'.$t['theme_name'].'</option>';
+ echo '>'.htmlspecialchars($t['theme_name']).'</option>';
}
}
?>
</select>
</p>
- <p><input type="hidden" name="return_to" value="<?php echo $ret; ?>" />
+ <p><input type="hidden" name="return_to" value="<?php echo htmlspecialchars($ret); ?>" />
<input type="submit" name="themeselected" value="Continue" /></p>
<?php } else {
$theme = $_POST['theme'];
@@ -968,8 +968,8 @@
?>
</select>
</p>
- <p><input type="hidden" name="return_to" value="<?php echo $ret; ?>" />
- <input type="hidden" name="theme" value="<?php echo $theme; ?>" />
+ <p><input type="hidden" name="return_to" value="<?php echo htmlspecialchars($ret); ?>" />
+ <input type="hidden" name="theme" value="<?php echo htmlspecialchars($theme); ?>" />
<input type="submit" name="allclear" value="Change style" /></p>
<?php } ?>
</form>