Fix XSS in forum

slawkens · Nov 27, 2023 · 55dbade · 55dbade
1 parent d1bc63d
commit 55dbade
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/system/pages/forum/new_post.php b/system/pages/forum/new_post.php
@@ -33,6 +33,11 @@
 		$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 		$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
 		$saved = false;
+
+		if (!superAdmin()) {
+			$html = 0;
+		}
+
 		if(isset($_REQUEST['quote']))
 		{
 			$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();