Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix low severity stored xss in admin/pageViewMembers.php
  • Loading branch information
Ahmad Gneady committed Jul 3, 2021
1 parent 5c122df commit 96dd9bb
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions app/admin/pageViewMembers.php
Expand Up @@ -225,9 +225,9 @@
?>
<tr class="<?php echo $tr_class; ?>">
<?php if($adminConfig['anonymousMember'] == $row[0]) { ?>
<td class="text-left"><?php echo $row[0]; ?></td>
<td class="text-left"><?php echo htmlspecialchars($row[0]); ?></td>
<?php } else { ?>
<td class="text-left"><a href="pageEditMember.php?memberID=<?php echo $row[0]; ?>"><?php echo $row[0]; ?></a></td>
<td class="text-left"><a href="pageEditMember.php?memberID=<?php echo urlencode($row[0]); ?>"><?php echo htmlspecialchars($row[0]); ?></a></td>
<?php } ?>
<td class="text-left"><?php echo htmlspecialchars($row[1]); ?></td>
<td class="text-left"><?php echo htmlspecialchars($row[2]); ?></td>
Expand All @@ -249,28 +249,28 @@
<?php if($adminConfig['anonymousMember'] == $row[0]) { ?>
<i class="glyphicon glyphicon-pencil text-muted"></i>
<?php } else { ?>
<a href="pageEditMember.php?memberID=<?php echo $row[0]; ?>"><i class="glyphicon glyphicon-pencil" title="<?php echo $Translation['Edit member']; ?>"></i></a>
<a href="pageEditMember.php?memberID=<?php echo urlencode($row[0]); ?>"><i class="glyphicon glyphicon-pencil" title="<?php echo $Translation['Edit member']; ?>"></i></a>
<?php } ?>

<?php if($adminConfig['anonymousMember'] == $row[0] || $adminConfig['adminUsername'] == $row[0]) { ?>
<i class="glyphicon glyphicon-trash text-muted"></i>
<i class="glyphicon glyphicon-ban-circle text-muted"></i>
<?php } else { ?>
<a href="pageDeleteMember.php?memberID=<?php echo $row[0]; ?>&csrf_token=<?php echo urlencode(csrf_token(false, true)); ?>" onClick="return confirm('<?php echo addslashes(str_replace('<USERNAME>', $row[0], $Translation['sure delete user'])); ?>');"><i class="glyphicon glyphicon-trash text-danger" title="<?php echo $Translation['delete member']; ?>"></i></a>
<a href="pageDeleteMember.php?memberID=<?php echo urlencode($row[0]); ?>&csrf_token=<?php echo urlencode(csrf_token(false, true)); ?>" onClick="return confirm('<?php echo addslashes(str_replace('<USERNAME>', $row[0], $Translation['sure delete user'])); ?>');"><i class="glyphicon glyphicon-trash text-danger" title="<?php echo $Translation['delete member']; ?>"></i></a>
<?php
if(!$row[9]) { // if member is not approved, display approve link
?><a href="pageChangeMemberStatus.php?memberID=<?php echo $row[0]; ?>&approve=1"><i class="glyphicon glyphicon-ok text-success" title="<?php echo $Translation["unban this member"]; ?>" title="<?php echo $Translation["approve this member"]; ?>"></i></a><?php
?><a href="pageChangeMemberStatus.php?memberID=<?php echo urlencode($row[0]); ?>&approve=1"><i class="glyphicon glyphicon-ok text-success" title="<?php echo $Translation["unban this member"]; ?>" title="<?php echo $Translation["approve this member"]; ?>"></i></a><?php
} else {
if($row[8]) { // if member is banned, display unban link
?><a href="pageChangeMemberStatus.php?memberID=<?php echo $row[0]; ?>&unban=1"><i class="glyphicon glyphicon-ok text-success" title="<?php echo $Translation["unban this member"]; ?>"></i></a><?php
?><a href="pageChangeMemberStatus.php?memberID=<?php echo urlencode($row[0]); ?>&unban=1"><i class="glyphicon glyphicon-ok text-success" title="<?php echo $Translation["unban this member"]; ?>"></i></a><?php
} else { // if member is not banned, display ban link
?><a href="pageChangeMemberStatus.php?memberID=<?php echo $row[0]; ?>&ban=1"><i class="glyphicon glyphicon-ban-circle text-danger" title="<?php echo $Translation["ban this member"]; ?>"></i></a><?php
?><a href="pageChangeMemberStatus.php?memberID=<?php echo urlencode($row[0]); ?>&ban=1"><i class="glyphicon glyphicon-ban-circle text-danger" title="<?php echo $Translation["ban this member"]; ?>"></i></a><?php
}
}
?>
<?php } ?>

<a href="pageViewRecords.php?memberID=<?php echo $row[0]; ?>"><i class="glyphicon glyphicon-th" title="<?php echo $Translation["View member records"]; ?>"></i></a>
<a href="pageViewRecords.php?memberID=<?php echo urlencode($row[0]); ?>"><i class="glyphicon glyphicon-th" title="<?php echo $Translation["View member records"]; ?>"></i></a>
</td>
</tr>
<?php
Expand Down

0 comments on commit 96dd9bb

Please sign in to comment.