[Phpfreechat-svn] SF.net SVN: phpfreechat: [1216] trunk

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1216
          http://phpfreechat.svn.sourceforge.net/phpfreechat/?rev=1216&view=rev
Author:   kerphi
Date:     2007-11-25 11:19:20 -0800 (Sun, 25 Nov 2007)

Log Message:
-----------
Security fix : nickname HTML injection (thanks to teamhackaday)

Modified Paths:
--------------
    trunk/data/public/js/pfcclient.js
    trunk/themes/default/chat.html.tpl.php

Modified: trunk/data/public/js/pfcclient.js
===================================================================

--- trunk/data/public/js/pfcclient.js	2007-11-22 16:50:37 UTC (rev 1215)
+++ trunk/data/public/js/pfcclient.js	2007-11-25 19:19:20 UTC (rev 1216)
@@ -92,8 +92,6 @@
     Event.observe(this.el_words,     'keyup',     this.callbackWords_OnKeyup.bindAsEventListener(this), false);
     Event.observe(this.el_words,     'mouseup',   this.callbackWords_OnMouseup.bindAsEventListener(this), false);
     Event.observe(this.el_words,     'focus',     this.callbackWords_OnFocus.bindAsEventListener(this), false);
-    Event.observe(this.el_handle,    'keydown',   this.callbackHandle_OnKeydown.bindAsEventListener(this), false);
-    Event.observe(this.el_handle,    'change',    this.callbackHandle_OnChange.bindAsEventListener(this), false);
     Event.observe(document.body,     'unload',    this.callback_OnUnload.bindAsEventListener(this), false);
   },
 
@@ -309,9 +307,9 @@
 
       if (resp == "ok" || resp == "notchanged" || resp == "changed" || resp == "connected")
       {
-        this.el_handle.innerHTML = param;
-        this.nickname = param;
         this.setUserMeta(this.nickid, 'nick', param);
+        this.el_handle.innerHTML = this.getUserMeta(this.nickid, 'nick').escapeHTML();
+        this.nickname = this.getUserMeta(this.nickid, 'nick');
         this.updateNickBox(this.nickid);
 
         // clear the possible error box generated by the bellow displayMsg(...) function
@@ -822,12 +820,6 @@
     // Needed for IE since the text box loses selection/caret position on blur
     this.setSelection(this.el_words);
   },
-  callbackHandle_OnKeydown: function(evt)
-  {
-  },
-  callbackHandle_OnChange: function(evt)
-  {
-  },
   callback_OnUnload: function(evt)
   {
     /* don't disconnect users when they reload the window
@@ -950,9 +942,9 @@
         line += ' <span class="pfc_nick">';
         line += '&#x2039;';
         line += '<span ';
-        line += 'onclick="pfc.insert_text(\'' + sender.replace("'", '\\\'') + ', \',\'\',false)" ';
+        line += 'onclick="pfc.insert_text(\'' + sender.escapeHTML().replace("'", '\\\'') + ', \',\'\',false)" ';
         line += 'class="pfc_nickmarker pfc_nick_'+ _to_utf8(sender).md5() +'">';
-        line += sender;
+        line += sender.escapeHTML();
         line += '</span>';
         line += '&#x203A;';
         line += '</span> ';
@@ -1387,7 +1379,7 @@
     var nobr = document.createElement('nobr');
     var span = document.createElement('span');
     span.setAttribute(className, 'pfc_nickmarker pfc_nick_'+nickid);
-    span.appendChild(document.createTextNode(nick));
+    span.innerHTML = nick.escapeHTML();
     nobr.appendChild(span);
     a.appendChild(nobr);
 

Modified: trunk/themes/default/chat.html.tpl.php
===================================================================
--- trunk/themes/default/chat.html.tpl.php	2007-11-22 16:50:37 UTC (rev 1215)
+++ trunk/themes/default/chat.html.tpl.php	2007-11-25 19:19:20 UTC (rev 1216)
@@ -21,7 +21,7 @@
                . ' style="cursor: pointer"';
            }
            ?>
-           ><?php echo $u->nick; ?></p>      
+           ><?php echo phpFreeChat::FilterSpecialChar($u->nick); ?></p>      
       </td>
       <td class="pfc_td2">
         <input type="text"


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


