Download
2022-04-26, 04:23:29
(This post was last modified: 2022-04-27, 23:07:11 by Knobbles.
Edit Reason: Bugfix
)
There is line 81 in admin/settings.php:
Replacing this with
i.e. removing all kinds of brackets, plus freespace, should bork any attempt of scripting reliably.
You might go even further, setting $PERMALINK to "" when detecting any of them in $_POST['permalink'].
These characters should not be part of an url anyway.
What am I missing?
PHP Code:
if(isset($_POST['permalink'])) {
$PERMALINK = trim($_POST['permalink']);
}
Replacing this with
PHP Code:
if(isset($_POST['permalink'])) {
$badchars = array('<', '>', '(', ')', '{', '}', '[', ']', ' ', "\t", "\r", "\n");
$PERMALINK = str_replace($badchars, '', $_POST['permalink']);
}
i.e. removing all kinds of brackets, plus freespace, should bork any attempt of scripting reliably.
You might go even further, setting $PERMALINK to "" when detecting any of them in $_POST['permalink'].
These characters should not be part of an url anyway.
What am I missing?
