[Scoop-checkins] scoop/lib/Scoop/Comments Format.pm Post.pm

Sat Aug 5 21:22:49 PDT 2006

Update of /cvs/scoop/scoop/lib/Scoop/Comments
In directory lithium.sabren.com:/tmp/cvs-serv30231/lib/Scoop/Comments

Modified Files:
	Format.pm Post.pm 
Log Message:
Committing XSS (and some others janra found, as I recall) security fixes 
and some stuff found in the K5 upgrade. -j


Index: Format.pm
===================================================================
RCS file: /cvs/scoop/scoop/lib/Scoop/Comments/Format.pm,v
retrieving revision 1.61
retrieving revision 1.62
diff -C2 -d -r1.61 -r1.62
*** Format.pm	8 Feb 2006 03:42:03 -0000	1.61
--- Format.pm	6 Aug 2006 04:22:46 -0000	1.62
***************
*** 206,211 ****
  	# check for sig behavior and act accordingly
  	if ($user->{prefs}->{sig}) {
! 		#$user->{sig} =~ s/<p>/<br \/><br \/>/gi;
!  		#$user->{sig} =~ s/<\/p>//gi;
  		if ($comment->{sig_behavior} eq 'retroactive' || $comment->{sig_status} == 1) {
  			#if normal sig, then proceed as usual
--- 206,210 ----
  	# check for sig behavior and act accordingly
  	if ($user->{prefs}->{sig}) {
! 		$user->{sig} =~ s/\<\s*a\s*href/<a rel="nofollow" href/ig;
  		if ($comment->{sig_behavior} eq 'retroactive' || $comment->{sig_status} == 1) {
  			#if normal sig, then proceed as usual
***************
*** 246,250 ****
  	}
  	if ($user->{homepage}) {
! 		$this_comment =~ s/%%url%%/<a class="light" href="$user->{homepage}">$user->{homepage}<\/a>/g;
  	} else {
  		$this_comment =~ s/%%url%%//g;
--- 245,249 ----
  	}
  	if ($user->{homepage}) {
! 		$this_comment =~ s/%%url%%/<A CLASS="light" HREF="$user->{homepage}" rel="nofollow">$user->{homepage}<\/A>/g;
  	} else {
  		$this_comment =~ s/%%url%%//g;

Index: Post.pm
===================================================================
RCS file: /cvs/scoop/scoop/lib/Scoop/Comments/Post.pm,v
retrieving revision 1.77
retrieving revision 1.78
diff -C2 -d -r1.77 -r1.78
*** Post.pm	14 Oct 2005 20:07:09 -0000	1.77
--- Post.pm	6 Aug 2006 04:22:47 -0000	1.78
***************
*** 355,358 ****
--- 355,362 ----
  	my $final = shift;
  	
+         if ($comment =~ /\<ul\>\<ul\>\<ul\>\<ul\>/) {
+                 return '';
+         }
+ 
  	# And, just to be sure, DEMORONIZE!
  	$comment = $S->demoronize($comment);
***************
*** 361,364 ****
--- 365,369 ----
  	$comment =~ s/&#139;/</g;
  	$comment =~ s/&#155;/>/g;
+         $comment =~ s/%0\d+//g;
  
  	# Translate template keys for safety