# HG changeset patch # User Dan # Date 1250869646 14400 # Node ID 3343a05e7e5b8c54c2291a92910f8175a8ac1a62 # Parent 742cb0f10766c069fe9c7b0f567eff3de2e610e2 SECURITY: Comments: fix poor sanitization of subject on initial submit diff -r 742cb0f10766 -r 3343a05e7e5b includes/comment.php --- a/includes/comment.php Thu Aug 20 21:15:19 2009 -0400 +++ b/includes/comment.php Fri Aug 21 11:47:26 2009 -0400 @@ -312,6 +312,7 @@ $subj = htmlspecialchars($data['subj']); $text = RenderMan::preprocess_text($data['text'], true, false); $src = $text; + $sql_subj = $db->escape($subj); $sql_text = $db->escape($text); $text = RenderMan::render($text); $appr = ( getConfig('approve_comments', '0') == '1' ) ? COMMENT_UNAPPROVED : COMMENT_APPROVED; @@ -325,7 +326,7 @@ // Send it to the database $q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n " . - "('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');"); + "('$this->page_id', '$this->namespace', '$name', '$sql_subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');"); if(!$q) $db->die_json();