Illumina CMS / Zap CMS - Possible xss patch
Hey Ragezone
This is not much but may help some people, in case you have any staff that will abuse having access to housekeeping. It was possible for staff posting news articles to xss your site. If they included meta / JavaScript redirect code in the title or snippet they could redirect users as soon as they login.
In lightcms.php replace the entire "getMainStories" function with the one below;
Yes this is a small release but may help some people, going to hate then don't bother to post.
Code:
public static function getMainStories($amt) {
global $db, $tpl, $light;
if($r = $db->query("SELECT id,title,topstory_image,snippet FROM site_news ORDER BY id DESC LIMIT " . $amt . "")) {
$c = 0;
while($a = $r->fetch_assoc()) {
$disp = 'block';
$imgurl = $a['topstory_image'];
if($c > 0) { $disp = 'none'; }
$_seo = $a['id'] . "-" . strtolower(str_replace(strip_tags(' ', '-', $a['title'])));
echo '<div class="topstory" style="background-image: url(' . $imgurl . '); display: ' . $disp . ';">
<h4>Latest news</h4>
<h3><a href="' . WWW . '/articles/' . $_seo . '">' . $light->filter(strip_tags($a['title'])) . '</a></h3>
<p class="summary">
' .$light->filter(strip_tags($a['snippet'])) . '
</p>
<p>
<a href="' . WWW . '/articles/' . $_seo . '">Read more »</a>
</p>
</div>';
$c++;
}
echo '<div id="topstories-nav" style="display: none"><a href="#" class="prev">« Previous</a><span>1</span> / ' . $c . '<a href="#" class="next">Next »</a></div>';
}
else {
$db->databaseError($db->error);
}
}
Re: Illumina CMS / Zap CMS - Possible xss patch
Very good :) Also on the main news articles you could convert it to use BBCode and not allow staff to directly input HTML into the article body (not sure if this is the case with Illumina or not).
Re: Illumina CMS / Zap CMS - Possible xss patch
Great release. :proud: Also is implementable with UberCMS for the people who don't use Illumina in general
Re: Illumina CMS / Zap CMS - Possible xss patch
Quote:
Originally Posted by
Hejula
Very good :) Also on the main news articles you could convert it to use BBCode and not allow staff to directly input HTML into the article body (not sure if this is the case with Illumina or not).
*some* raw html is supported in Illumina, most malicious shit is blocked out. My general rule of thumb is don't let dumbasses into housekeeping and to put a PIN on hk login.
Also, hot campaigns are only editable in database, so unless you're a complete retard then you should have no issues there either.