Skip to content

Commit c4e3e20

Browse files
gocomgocom
committed
Sanitize remote variables
This fixes potential of persistent XSS attacks. Also fixes fetching forum topics and corrects the validation logic. Cleans unnecessary variable naming; the blocks are evaluated in separate function context and do not collide.
1 parent 31c3cd7 commit c4e3e20

File tree

1 file changed

+35
-28
lines changed

1 file changed

+35
-28
lines changed

src/templates/pages/default.txp

Lines changed: 35 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -67,27 +67,31 @@
6767
<p>
6868
<a class="button" rel="external" href="https://github.com/textpattern/textpattern/" title="Stars on GitHub"><span class="ui-icon ui-extra-icon-github">GitHub</span> <strong>Stars</strong></a>
6969
<txp:etc_cache id="github-stars" time="-3600">
70-
<txp:php>
71-
$curl1 = curl_init();
70+
<txp:php>
71+
$curl = curl_init();
7272

73-
curl_setopt_array($curl1, array(
74-
CURLOPT_RETURNTRANSFER => 1,
73+
curl_setopt_array($curl, [
74+
CURLOPT_RETURNTRANSFER => true,
7575
CURLOPT_URL => 'https://api.github.com/repos/textpattern/textpattern',
7676
CURLOPT_USERAGENT => 'Textpattern CMS',
77-
));
77+
CURLOPT_FAILONERROR => true,
78+
]);
7879

79-
$response1 = curl_exec($curl1);
80+
$response = curl_exec($curl);
8081

81-
if (curl_error($curl1)) {
82-
// Do nothing.
83-
} else {
84-
$json = json_decode($response1);
85-
echo '<a class="count-bubble" rel="external" href="https://github.com/textpattern/textpattern/stargazers" title="Stargazers on GitHub">'.$json->stargazers_count.'</a>';
82+
curl_close($curl);
83+
84+
if ($response === false) {
85+
return;
86+
}
87+
88+
if (!($json = json_decode($response))) {
89+
return;
8690
}
8791

88-
curl_close($curl1);
89-
</txp:php>
90-
</txp:etc_cache>
92+
echo '<a class="count-bubble" rel="external" href="https://github.com/textpattern/textpattern/stargazers" title="Stargazers on GitHub">'.intval($json->stargazers_count).'</a>';
93+
</txp:php>
94+
</txp:etc_cache>
9195
</p>
9296
</div>
9397
</div>
@@ -199,26 +203,29 @@ curl_close($curl1);
199203
<ul class="list--no-bullets ellipsis">
200204
<txp:etc_cache id="forum-feed" time="-900">
201205
<txp:php>
202-
$curl2 = curl_init();
206+
$curl = curl_init();
203207

204-
curl_setopt_array($curl2, array(
205-
CURLOPT_RETURNTRANSFER => 1,
206-
CURLOPT_URL => 'http://forum.textpattern.com/api/?limit=5&sort=posted',
207-
));
208+
curl_setopt_array($curl, [
209+
CURLOPT_RETURNTRANSFER => true,
210+
CURLOPT_URL => 'https://forum.textpattern.io/api/?limit=5&sort=posted',
211+
CURLOPT_FAILONERROR => true,
212+
]);
208213

209-
$response2 = curl_exec($curl2);
214+
$response = curl_exec($curl);
210215

211-
if (curl_error($curl2)) {
212-
// Do nothing.
213-
} else {
214-
$xml = json_decode($response2);
216+
curl_close($curl);
215217

216-
foreach ($xml->topic as $topicElement) {
217-
echo '<li><a href="'.str_replace('http://', 'https://', $topicElement->link).'">'.htmlspecialchars($topicElement->title).'</a> <small class="block">by '.htmlspecialchars($topicElement->author->name).' on <time datetime="'.$topicElement->postedutc.'">'.$topicElement->posted.'</time></small></li>';
218-
}
218+
if ($response === false) {
219+
return;
219220
}
220221

221-
curl_close($curl2);
222+
if (!($json = json_decode($response))) {
223+
return;
224+
}
225+
226+
foreach ($json->topic as $topic) {
227+
echo '<li><a href="'.htmlspecialchars($topic->link).'">'.htmlspecialchars($topic->title).'</a> <small class="block">by '.htmlspecialchars($topic->author->name).' on <time datetime="'.htmlspecialchars($topic->postedutc).'">'.htmlspecialchars($topic->posted).'</time></small></li>';
228+
}
222229
</txp:php>
223230
<txp:linklist category="paid-links-content" break="li"><a rel="external" href="<txp:link_url />"><txp:link_name /></a> <small>(Ad)</small></txp:linklist>
224231
</txp:etc_cache>

0 commit comments

Comments
 (0)