Closed (fixed)
Project:
Comment commander
Version:
6.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
21 Dec 2009 at 12:56 UTC
Updated:
28 Dec 2009 at 04:20 UTC
Usernames, homepagenames and homepage URLs cannot be output as is.
$member_comments[] = "<a href=\"$cb_record->homepage\" target=\"_blank\">$cb_record->homepagename</a>";
// and
"Home page: <a href=\"$account->homepage\" target=\"_blank\">$account->homepagename</a>";
$account->homepage must be passed through check_url, $account->homepagename through check_plain. You should consider using t() and pass $account->homepagename via an @placeholder. Not escaping these values allows users to post code.
For more information, please read http://acko.net/blog/safe-string-theory-for-the-web and http://drupal.org/node/28984.
foreach ($process_node_types as $key => $value) {
$process_node_types[$key] = "'$value'";
}
$process_node_type_list = implode(',', $process_node_types);
// knock it out
$qstr = 'UPDATE {node} SET comment = 1 WHERE nid IN
(SELECT nid FROM {node_comment_statistics}
WHERE last_comment_timestamp <= UNIX_TIMESTAMP() - 60*60*24*%d)' . ($process_node_type_list ? "AND type IN ($process_node_type_list)" : '');
I doubt there's an exploitable vulnerability here, but please use db_placeholders to generate the amount of placeholders you require, then pass the values in one array to db_query. idem for _comment_commander_node_select().
Comments
Comment #1
Prometheus6 commentedThe critical part is fixed.
Comment #2
Prometheus6 commentedThe non-critical part (using db_placeholder) is complete.