avoid stored XSS on the message field

phpList · May 18, 2021 · 4ccb8b3 · 4ccb8b3
1 parent 5d87d35
commit 4ccb8b3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/public_html/lists/admin/lib.php b/public_html/lists/admin/lib.php
@@ -105,6 +105,9 @@ function setMessageData($msgid, $name, $value)
         //# disallow html in the subject and title
         $value = strip_tags($value);
     }
+    if ($name == 'message') { ## there's no need for js actions in the body. @@TODO expand on other fields
+      $value = disableJavascript($value);
+    }
 
     if ($name == 'targetlist' && is_array($value)) {
         Sql_query(sprintf('delete from %s where messageid = %d', $GLOBALS['tables']['listmessage'], $msgid));
@@ -1041,7 +1044,7 @@ function clearPageCache()
 function removeJavascript($content)
 {
     $content = preg_replace('/<script[^>]*>(.*?)<\/script\s*>/mis', '', $content);
-
+    $content = disableJavascript($content);
     return $content;
 }
 

diff --git a/public_html/lists/admin/message.php b/public_html/lists/admin/message.php
@@ -105,7 +105,7 @@
 $content .= sprintf($format, s('Subject'), htmlentities($msgdata['subject']));
 $content .= sprintf($format, s('entered'), formatDateTime( stripslashes($msgdata['entered'] )));
 $content .= sprintf($format, s('fromfield'), htmlentities(stripslashes($msgdata['fromfield'])));
-$content .= sprintf($format, s('HTML content'), stripslashes($msgdata['message']));
+$content .= sprintf($format, s('HTML content'), disableJavascript(stripslashes($msgdata['message'])));
 $content .= sprintf($format, s('Text content'), htmlentities(stripslashes($msgdata['textmessage'])));
 $content .= sprintf($format, s('footer'), stripslashes($msgdata['footer']));