lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 20:17:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix xss

Browse Source
This commit is contained in:
xiaomlove
2023-05-15 03:45:51 +08:00
parent b9eb7080ce
commit ace061c034
2 changed files with 26 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/functions.php
+19 -16
View File
@@ -69,7 +69,10 @@ function stdmsg($heading, $text, $htmlstrip = false)
if ($htmlstrip) { if ($htmlstrip) {
$heading = htmlspecialchars(trim($heading)); $heading = htmlspecialchars(trim($heading));
$text = htmlspecialchars(trim($text)); $text = htmlspecialchars(trim($text));
} } else {
$heading = strip_tags($heading, '<a>');
$text = strip_tags($text, '<a>');
}
print("<table align=\"center\" class=\"main\" width=\"500\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr><td class=\"embedded\">\n"); print("<table align=\"center\" class=\"main\" width=\"500\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr><td class=\"embedded\">\n");
if ($heading) if ($heading)
print("<h2>".$heading."</h2>\n"); print("<h2>".$heading."</h2>\n");
@@ -3002,22 +3005,22 @@ function logincookie($id, $passhash, $updatedb = 1, $expires = 0x7fffffff, $secu
if ($expires != 0x7fffffff) if ($expires != 0x7fffffff)
$expires = time()+$expires; $expires = time()+$expires;
setcookie("c_secure_uid", base64($id), $expires, "/"); setcookie("c_secure_uid", base64($id), $expires, "/", "", false, true);
setcookie("c_secure_pass", $passhash, $expires, "/"); setcookie("c_secure_pass", $passhash, $expires, "/", "", false, true);
if($ssl) if($ssl)
setcookie("c_secure_ssl", base64("yeah"), $expires, "/"); setcookie("c_secure_ssl", base64("yeah"), $expires, "/", "", false, true);
else else
setcookie("c_secure_ssl", base64("nope"), $expires, "/"); setcookie("c_secure_ssl", base64("nope"), $expires, "/", "", false, true);
if($trackerssl) if($trackerssl)
setcookie("c_secure_tracker_ssl", base64("yeah"), $expires, "/"); setcookie("c_secure_tracker_ssl", base64("yeah"), $expires, "/", "", false, true);
else else
setcookie("c_secure_tracker_ssl", base64("nope"), $expires, "/"); setcookie("c_secure_tracker_ssl", base64("nope"), $expires, "/", "", false, true);
if ($securelogin) if ($securelogin)
setcookie("c_secure_login", base64("yeah"), $expires, "/"); setcookie("c_secure_login", base64("yeah"), $expires, "/", "", false, true);
else else
setcookie("c_secure_login", base64("nope"), $expires, "/"); setcookie("c_secure_login", base64("nope"), $expires, "/", "", false, true);
if ($updatedb) if ($updatedb)
@@ -3029,7 +3032,7 @@ function set_langfolder_cookie($folder, $expires = 0x7fffffff)
if ($expires != 0x7fffffff) if ($expires != 0x7fffffff)
$expires = time()+$expires; $expires = time()+$expires;
setcookie("c_lang_folder", $folder, $expires, "/"); setcookie("c_lang_folder", $folder, $expires, "/", "", false, true);
} }
function get_protocol_prefix() function get_protocol_prefix()
@@ -3073,12 +3076,12 @@ function make_folder($pre, $folder_name)
} }
function logoutcookie() { function logoutcookie() {
setcookie("c_secure_uid", "", 0x7fffffff, "/"); setcookie("c_secure_uid", "", 0x7fffffff, "/", "", false, true);
setcookie("c_secure_pass", "", 0x7fffffff, "/"); setcookie("c_secure_pass", "", 0x7fffffff, "/", "", false, true);
// setcookie("c_secure_ssl", "", 0x7fffffff, "/"); // setcookie("c_secure_ssl", "", 0x7fffffff, "/", "", false, true);
setcookie("c_secure_tracker_ssl", "", 0x7fffffff, "/"); setcookie("c_secure_tracker_ssl", "", 0x7fffffff, "/", "", false, true);
setcookie("c_secure_login", "", 0x7fffffff, "/"); setcookie("c_secure_login", "", 0x7fffffff, "/", "", false, true);
// setcookie("c_lang_folder", "", 0x7fffffff, "/"); // setcookie("c_lang_folder", "", 0x7fffffff, "/", "", false, true);
} }
function base64 ($string, $encode=true) { function base64 ($string, $encode=true) {
public/friends.php
+7 -7
View File
@@ -73,9 +73,10 @@ if ($action == 'delete')
if (!is_valid_id($targetid)) if (!is_valid_id($targetid))
stderr($lang_friends['std_error'], $lang_friends['std_invalid_id']."$userid."); stderr($lang_friends['std_error'], $lang_friends['std_invalid_id']."$userid.");
if (!$sure) if (!$sure) {
stderr($lang_friends['std_delete'].$type, $lang_friends['std_delete_note'].$typename.$lang_friends['std_click']. stderr($lang_friends['std_delete'].$type, $lang_friends['std_delete_note'].$typename.$lang_friends['std_click'].
"<a href=?id=$userid&action=delete&type=$type&targetid=$targetid&sure=1>".$lang_friends['std_here_if_sure'],false); "<a href=?id=$userid&action=delete&type=$type&targetid=$targetid&sure=1>".$lang_friends['std_here_if_sure'],false);
}
if ($type == 'friend') if ($type == 'friend')
{ {
@@ -90,10 +91,9 @@ if ($action == 'delete')
if (mysql_affected_rows() == 0) if (mysql_affected_rows() == 0)
stderr($lang_friends['std_error'], $lang_friends['std_no_block_found']."$targetid"); stderr($lang_friends['std_error'], $lang_friends['std_no_block_found']."$targetid");
$frag = "blocks"; $frag = "blocks";
} } else {
else stderr($lang_friends['std_error'], $lang_friends['std_unknown_type']."$type");
stderr($lang_friends['std_error'], $lang_friends['std_unknown_type']."$type"); }
purge_neighbors_cache(); purge_neighbors_cache();