[xoops-svn] SF.net SVN: xoops-svn:[12008] XoopsCore/branches/2.5.x/2.5.7

[<be...@us...>]

Revision: 12008
          http://sourceforge.net/p/xoops/svn/12008
Author:   beckmi
Date:     2013-09-05 09:40:26 +0000 (Thu, 05 Sep 2013)
Log Message:
-----------
replaced extract($_POST) in /include/comment_delete.php with filters

Modified Paths:
--------------
    XoopsCore/branches/2.5.x/2.5.7/docs/changelog.250.txt
    XoopsCore/branches/2.5.x/2.5.7/htdocs/include/comment_delete.php

Modified: XoopsCore/branches/2.5.x/2.5.7/docs/changelog.250.txt
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/docs/changelog.250.txt	2013-09-05 09:12:59 UTC (rev 12007)
+++ XoopsCore/branches/2.5.x/2.5.7/docs/changelog.250.txt	2013-09-05 09:40:26 UTC (rev 12008)
@@ -22,6 +22,7 @@
 - assigning "static" to functions in XoopsUserUtility class (mamba)
 - solved bug into PM module readpmsg.php (escrime-info/slider84)
 - fixed missing check on variable in userinfo.php (cesag/mamba) 
+- replaced extract($_POST) in /include/comment_delete.php with filters (mamba) 
 
 Updated:
  - jGrowl to 1.2.13 (mamba)

Modified: XoopsCore/branches/2.5.x/2.5.7/htdocs/include/comment_delete.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/include/comment_delete.php	2013-09-05 09:12:59 UTC (rev 12007)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/include/comment_delete.php	2013-09-05 09:40:26 UTC (rev 12008)
@@ -24,18 +24,28 @@
 include_once $GLOBALS['xoops']->path('include/comment_constants.php');
 
 $op = 'delete';
+
+$filters = array
+  (
+  "com_mode" => FILTER_SANITIZE_FULL_SPECIAL_CHARS ,
+  "op" => FILTER_SANITIZE_FULL_SPECIAL_CHARS ,
+  "com_order" => FILTER_VALIDATE_INT,
+  "com_id"=> FILTER_VALIDATE_INT
+  );
+
 if (!empty($_POST)) {
-    extract($_POST);
-    $com_mode = isset($com_mode) ? htmlspecialchars(trim($com_mode), ENT_QUOTES) : 'flat';
-    $com_order = isset($com_order) ? intval($com_order) : XOOPS_COMMENT_OLD1ST;
-    $com_id = isset($com_id) ? intval($com_id) : 0;
+    $result = filter_input_array(INPUT_POST, $filters);
 } else {
-    $com_mode = isset($_GET['com_mode']) ? htmlspecialchars(trim($_GET['com_mode']), ENT_QUOTES) : 'flat';
-    $com_order = isset($_GET['com_order']) ? intval($_GET['com_order']) : XOOPS_COMMENT_OLD1ST;
-    $com_id = isset($_GET['com_id']) ? intval($_GET['com_id']) : 0;
-
+    $result = filter_input_array(INPUT_GET, $filters);
 }
+$com_mode = $result['com_mode'] ? $result['com_mode'] : 'flat';
+$com_order = $result['com_order'] ? $result['com_order'] : XOOPS_COMMENT_OLD1ST;
+$com_id = $result['com_id'] ? $result['com_id'] : 0;
+if ($result['op']) {
+    $op = $result['op'];
+}
 
+
 if ('system' == $xoopsModule->getVar('dirname')) {
     $comment_handler =& xoops_gethandler('comment');
     $comment =& $comment_handler->get($com_id);
@@ -62,10 +72,14 @@
                 // for the confirmation page
                 $comment_confirm_extra[$extra_param] = ${$extra_param};
             } elseif (isset($_GET[$extra_param])) {
-                $redirect_page .= $extra_param . '=' . $_GET[$extra_param] . '&';
+//                $redirect_page .= $extra_param . '=' . $_GET[$extra_param] . '&';
+                $redirect_page .= $extra_param . '=' . filter_input(INPUT_GET, $extra_param, FILTER_SANITIZE_STRING) . '&';
 
+
+
                 // for the confirmation page
-                $comment_confirm_extra[$extra_param] = $_GET[$extra_param];
+//                $comment_confirm_extra[$extra_param] = $_GET[$extra_param];
+                $comment_confirm_extra[$extra_param] = filter_input(INPUT_GET, $extra_param, FILTER_SANITIZE_STRING);
             }
         }
     }
@@ -271,4 +285,4 @@
         break;
 }
 
-?>
\ No newline at end of file
+?>