From 9d5493989e777d43f3f339cd179b0c435a14d814 Mon Sep 17 00:00:00 2001 From: Zankaria Date: Mon, 18 Aug 2025 23:51:06 +0200 Subject: [PATCH] pages.php: trim ban POST parameters --- inc/mod/pages.php | 73 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 55 insertions(+), 18 deletions(-) diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 219141b2..2d5b87ab 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -19,6 +19,16 @@ function _link_or_copy_factory(Context $ctx): callable { }; } +function _trim_str_param(array $arr, string $key): ?string { + if (isset($arr[$key])) { + $trimmed = \trim($arr[$key]); + if (!empty($trimmed)) { + return $trimmed; + } + } + return null; +} + function mod_page($title, $template, $args, $subtitle = false) { global $config, $mod; @@ -1113,14 +1123,19 @@ function mod_ban(Context $ctx) { if (!hasPermission($config['mod']['ban'])) error($config['error']['noaccess']); - if (!isset($_POST['ip'], $_POST['reason'], $_POST['length'], $_POST['board'])) { + $ip = _trim_str_param($_POST, 'ip' ); + $reason = _trim_str_param($_POST, 'reason'); + $length = _trim_str_param($_POST, 'length'); + $board = _trim_str_param($_POST, 'board'); + + if (!isset($ip, $reason, $length, $board)) { mod_page(_('New ban'), 'mod/ban_form.html', array('token' => make_secure_link_token('ban'))); return; } require_once 'inc/mod/ban.php'; - Bans::new_ban($_POST['ip'], $_POST['reason'], $_POST['length'], $_POST['board'] == '*' ? false : $_POST['board']); + Bans::new_ban($ip, $reason, $length, $board == '*' ? false : $board); if (isset($_POST['redirect'])) header('Location: ' . $_POST['redirect'], true, $config['redirect_http']); @@ -1967,25 +1982,41 @@ function mod_ban_post(Context $ctx, $board, $delete, $post, $token = false) { if (isset($_POST['new_ban'], $_POST['reason'], $_POST['length'], $_POST['board'])) { require_once 'inc/mod/ban.php'; - if (isset($_POST['ip'])) - $ip = $_POST['ip']; + if (isset($_POST['ip'])) { + $ip_trim = \trim($_POST['ip']); + if (!empty($ip_trim)) { + $ip = $ip_trim; + } + } - Bans::new_ban($_POST['ip'], $_POST['reason'], $_POST['length'], $_POST['board'] == '*' ? false : $_POST['board'], + $target_ip = \trim($_POST['ip']); + $reason = \trim($_POST['reason']); + $length = \trim($_POST['length']); + $target_board = \trim($_POST['board']); + + Bans::new_ban($target_ip, $reason, $length, $target_board == '*' ? false : $target_board, false, $config['ban_show_post'] ? $_post : false); - if (isset($_POST['public_message'], $_POST['message'])) { + $message = _trim_str_param($_POST, 'message'); + $public_message = _trim_str_param($_POST, 'public_message'); + + if (isset($public_message, $message)) { // public ban message - $length_english = Bans::parse_time($_POST['length']) ? 'for ' . until(Bans::parse_time($_POST['length'])) : 'permanently'; - $_POST['message'] = preg_replace('/[\r\n]/', '', $_POST['message']); - $_POST['message'] = str_replace('%length%', $length_english, $_POST['message']); - $_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']); + $length_parsed = Bans::parse_time($length); + $length_english = $length_parsed ? 'for ' . until($length_parsed) : 'permanently'; + + $message = \trim($_POST['message']); + $message = \preg_replace('/[\r\n]/', '', $message); + $message = \str_replace('%length%', $length_english, $message); + $message = \str_replace('%LENGTH%', \strtoupper($length_english), $message); + $query = prepare(sprintf('UPDATE ``posts_%s`` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board)); $query->bindValue(':id', $post); - $query->bindValue(':body_nomarkup', sprintf("\n%s", utf8tohtml($_POST['message']))); + $query->bindValue(':body_nomarkup', sprintf("\n%s", utf8tohtml($message))); $query->execute() or error(db_error($query)); rebuildPost($post); - modLog("Attached a public ban message to post #{$post}: " . utf8tohtml($_POST['message'])); + modLog("Attached a public ban message to post #{$post}: " . utf8tohtml($message)); buildThread($thread ? $thread : $post); buildIndex(); } elseif (isset($_POST['delete']) && (int) $_POST['delete']) { @@ -2083,19 +2114,25 @@ function mod_warning_post(Context $ctx, $board, $post, $token = false) { $ip = $_post['ip']; if (isset($_POST['new_warning'])) { - if (isset($_POST['ip'])) - $ip = $_POST['ip']; + if (isset($_POST['ip'])) { + $ip_trim = \trim($_POST['ip']); + if (!empty($ip_trim)) { + $ip = $ip_trim; + } + } - if (isset($_POST['public_message'], $_POST['message'])) { + $message = _trim_str_param($_POST, 'message'); + $public_message = _trim_str_param($_POST, 'public_message'); + + if (isset($public_message, $message)) { // public warning message - $_POST['message'] = preg_replace('/[\r\n]/', '', $_POST['message']); $query = prepare(sprintf('UPDATE ``posts_%s`` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board)); $query->bindValue(':id', $post); - $query->bindValue(':body_nomarkup', sprintf("\n%s", utf8tohtml($_POST['message']))); + $query->bindValue(':body_nomarkup', sprintf("\n%s", utf8tohtml($message))); $query->execute() or error(db_error($query)); rebuildPost($post); - modLog("Attached a public warning message to post #{$post}: " . utf8tohtml($_POST['message'])); + modLog("Attached a public warning message to post #{$post}: " . utf8tohtml($message)); buildThread($thread ? $thread : $post); buildIndex();