prevent code injection

See: https://huntr.dev/bounties/ee5fba4a-dd6a-4bba-b9dd-d73bcca0f38e/
flatCore · Oct 14, 2021 · 2cb02cd · 2cb02cd
1 parent b004481
commit 2cb02cd
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/acp/core/functions.php b/acp/core/functions.php
@@ -381,16 +381,18 @@ function fc_filter_filepath($str) {
 
 function fc_return_clean_value($string) {
 	$string = stripslashes($string);
+	$remove_chars = array('$','`','{','}');
 	$string = htmlentities($string, ENT_QUOTES, "UTF-8");
+	$string = str_replace($remove_chars, "", $string);
 	return $string;
 }
 
 function fc_clean_permalink($str) {
 	$str = stripslashes($str);
 	$str = strip_tags($str);
 	$str = strtolower($str);
-	$a = array('ä','ö','ü','ß',' + ','//','(',')',';','\'','\\','.','`','<','>'); 
-	$b = array('ae','oe','ue','ss','-'.'/','','','','','','','','','');
+	$a = array('ä','ö','ü','ß',' + ','//','(',')',';','\'','\\','.','`','<','>','$'); 
+	$b = array('ae','oe','ue','ss','-'.'/','','','','','','','','','','');
 	$str = str_replace($a, $b, $str);
 	$str = preg_replace('/\s/s', '_', $str);  // replace blanks -> '_'
 	$str = htmlentities($str, ENT_QUOTES, "UTF-8");

diff --git a/acp/core/pages.edit.php b/acp/core/pages.edit.php
@@ -153,8 +153,8 @@
 	$page_sort = "$page_position.$page_order";
 
 	$page_version = $_POST['page_version'];
-	$page_title = strip_tags($_POST['page_title']);
-	$page_linkname = strip_tags($_POST['page_linkname']);
+	$page_title = fc_return_clean_value($_POST['page_title']);
+	$page_linkname = fc_return_clean_value($_POST['page_linkname']);
 
 	if($page_position == "portal") {
 		$page_sort = "portal";