tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-5958-xss-event-view' into 'develop' 

fixed vulnerabilty on events comments

See merge request artica/pandorafms!3287
This commit is contained in:
Alejandro Fraguas 2020-06-15 11:38:01 +02:00
parent fae30ca0e2 93bc14d102
commit aaa1ae6650
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pandora_console/include/ajax/events.php
View File

@ -1088,10 +1088,18 @@ if ($dialogue_event_response) {
}
if ($add_comment) {
$aviability_comment = true;
$comment = get_parameter('comment');
if (preg_match('<script>', io_safe_output($comment))) {
$aviability_comment = false;
$return = false;
}
$event_id = get_parameter('event_id');
$return = events_comment($event_id, $comment, 'Added comment', $meta, $history);
if ($aviability_comment !== false) {
$return = events_comment($event_id, $comment, 'Added comment', $meta, $history);
}
if ($return) {
echo 'comment_ok';