Changeset 430

Show
Ignore:
Timestamp:
05/20/06 15:42:32 (2 years ago)
Author:
Rickard
Message:

Fixed XSS vulnerability involving URL BBCode (only affects Internet Explorer users).

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/upload/include/parser.php

    r241 r430  
    265265        global $pun_user; 
    266266 
    267         $full_url = str_replace(array(' ', '\'', '`'), array('%20', '', ''), $url); 
     267        $full_url = str_replace(array(' ', '\'', '`', '"'), array('%20', '', '', ''), $url); 
    268268        if (strpos($url, 'www.') === 0)                 // If it starts with www, we add http:// 
    269269                $full_url = 'http://'.$full_url;