NineChime forum
Furry stuff, oekaki stuff, and other stuff.
You are not logged in.
#2 10-21-2006 21:18:45
- Waccoon
- Administrator
Re: Improve security
Thanks for the report. Due to specifics, I've copied your comments elsewhere. There are reasons why Wacintaki doesn't fully filter stuff (mostly, due to formatting issues), but I think I'll be able to fix these types of issues in the next release.
Offline
#3 10-23-2006 03:20:16
- Jaapio
- New member
Re: Improve security
I dont see any problems with formatting isues but that could just be me. I fixed this problem once for a board, it took about 10 seconds.
Edit:
You could replace $_COOKIE withof $_SESSION. Session variables are stored on the server, this is (not surprisingly) more secure.
Just to prevent html/javascript trouble I modified the editprofile code like this
Code:
$name = htmlspecialchars( slashit($_POST['name']) , ENT_NOQUOTES);
$email = htmlspecialchars( slashit(trim ($_POST['email'])) , ENT_NOQUOTES);
$age = htmlspecialchars( decode_birthday($_POST['age_year'], $_POST['age_month'], $_POST['age_day']) , ENT_NOQUOTES);
$gender = htmlspecialchars( slashit($_POST['gender']) , ENT_NOQUOTES);
$location = slashit(htmlspecialchars (trim ($_POST['location'])), ENT_NOQUOTES);
$url = htmlspecialchars( slashit(trim ($_POST['url'])) , ENT_NOQUOTES);
$aim = htmlspecialchars( slashit($_POST['aim']) , ENT_NOQUOTES);
$icq = htmlspecialchars( slashit($_POST['icq']) , ENT_NOQUOTES);
$msn = htmlspecialchars( slashit($_POST['msn']) , ENT_NOQUOTES);
$yahoo = htmlspecialchars( slashit($_POST['yahoo']) , ENT_NOQUOTES);
$ircserver = htmlspecialchars( slashit($_POST['ircserver']) , ENT_NOQUOTES);
$ircnick = htmlspecialchars( slashit($_POST['ircnick']) , ENT_NOQUOTES);
$ircchan = htmlspecialchars( slashit($_POST['ircchan']) , ENT_NOQUOTES);
$language2 = htmlspecialchars( slashit($_POST['language2']) , ENT_NOQUOTES);
$ctemplate = htmlspecialchars( slashit($_POST['ctemplate']) , ENT_NOQUOTES);
$picview = (int) $_POST['picview'];
$thumbview = (int) $_POST['thumbview'];
$screensize = (int) $_POST['screensize'];
$adult = htmlspecialchars( $_POST['adult'] , ENT_NOQUOTES);
$username2 = htmlspecialchars( slashit($_POST['username2']) , ENT_NOQUOTES);
$oldpass = slashit($_POST['oldpass']);
$passwd = slashit($_POST['passwd']);
$passwdnew = slashit($_POST['passwdnew']);
$comment = htmlspecialchars (trim ($_POST['comment']));
$urltitle = htmlspecialchars( slashit (trim ($_POST['urltitle'])) , ENT_NOQUOTES);and the register code like:
Code:
$username = htmlspecialchars( slashit($_POST['username']), ENT_NOQUOTES);
$email = htmlspecialchars( slashit(trim ($_POST['email'])), ENT_NOQUOTES);
$age = htmlspecialchars( decode_birthday($_POST['age_year'], $_POST['age_month'], $_POST['age_day']), ENT_NOQUOTES);
$pass = slashit($_POST['pass']);
$pass2 = slashit($_POST['pass2']);
$artURL = htmlspecialchars( slashit(trim ($_POST['artURL'])), ENT_NOQUOTES);
$comment2 = slashit(htmlspecialchars (trim ($_POST['comments'])), ENT_NOQUOTES);p.s. I never tried it, owner of the board that I made these changes for never accepted the file...
Last edited by Jaapio (10-25-2006 09:27:25)
Offline