# HG changeset patch
# User Dan Fuhry <dan@enanocms.org>
# Date 1277736184 14400
# Node ID 13f8d373da67e756d484d4f1d80dc84809bb97c3
# Parent  e34c23a35dc978f01953eda94f6246e7e7fa57f1
SECURITY: Multiple XSS in Special:ChangeStyle. Reported by Mesut Timur of Mavituna Security - thanks! Also removed my stand-in for ucfirst().

diff -r e34c23a35dc9 -r 13f8d373da67 includes/functions.php
--- a/includes/functions.php	Wed Jun 02 21:58:26 2010 -0400
+++ b/includes/functions.php	Mon Jun 28 10:43:04 2010 -0400
@@ -1443,17 +1443,6 @@
 }
 
 /**
- * Capitalizes the first letter of a string
- * @param $text string the text to be transformed
- * @return string
- */
-
-function capitalize_first_letter($text)
-{
-	return strtoupper(substr($text, 0, 1)) . substr($text, 1);
-}
-
-/**
  * Checks if a value in a bitfield is on or off
  * @param $bitfield int the bit-field value
  * @param $value int the value to switch off
diff -r e34c23a35dc9 -r 13f8d373da67 includes/sessions.php
--- a/includes/sessions.php	Wed Jun 02 21:58:26 2010 -0400
+++ b/includes/sessions.php	Mon Jun 28 10:43:04 2010 -0400
@@ -2841,7 +2841,7 @@
 		{
 			if(!$desc)
 			{
-				$desc = capitalize_first_letter(str_replace('_', ' ', $acl_type));
+				$desc = ucfirst(str_replace('_', ' ', $acl_type));
 			}
 			$this->acl_types[$acl_type] = $default_perm;
 			$this->acl_descs[$acl_type] = $desc;
diff -r e34c23a35dc9 -r 13f8d373da67 plugins/SpecialUserFuncs.php
--- a/plugins/SpecialUserFuncs.php	Wed Jun 02 21:58:26 2010 -0400
+++ b/plugins/SpecialUserFuncs.php	Mon Jun 28 10:43:04 2010 -0400
@@ -1244,13 +1244,13 @@
 										{
 											echo ' selected="selected"';
 										}
-										echo '>' . $t['theme_name'] . '</option>';
+										echo '>' . htmlspecialchars($t['theme_name']) . '</option>';
 									}
 								}
  							?>
 							</select>
 						</p>
-						<p><input type="hidden" name="return_to" value="<?php echo $ret; ?>" />
+						<p><input type="hidden" name="return_to" value="<?php echo htmlspecialchars($ret); ?>" />
  							<input type="submit" name="themeselected" value="<?php echo $lang->get('userfuncs_changetheme_btn_continue'); ?>" /></p>
 					<?php } else { 
 						$theme = $_POST['theme'];
@@ -1276,13 +1276,13 @@
 									} else die($dir.' is not a dir');
 									foreach ( $list as $l )
 									{
-										echo '<option value="'.$l.'">'.capitalize_first_letter($l).'</option>';
+										echo '<option value="'.$l.'">'.ucfirst($l).'</option>';
 									}
 								?>
 							</select>
 						</p>
-						<p><input type="hidden" name="return_to" value="<?php echo $ret; ?>" />
- 							<input type="hidden" name="theme" value="<?php echo $theme; ?>" />
+						<p><input type="hidden" name="return_to" value="<?php echo htmlspecialchars($ret); ?>" />
+ 							<input type="hidden" name="theme" value="<?php echo htmlspecialchars($theme); ?>" />
  							<input type="submit" name="allclear" value="<?php echo $lang->get('userfuncs_changetheme_btn_allclear'); ?>" /></p>
 					<?php } ?>
 				</form>