Summary

com_banners and com_bannersmanager do not escape HTML within the 'custom banner code'. This can cause various unpredictable problems.


com_banners:admin.banners.html.php#line259

<textarea class="inputbox" cols="70" rows="5" name="custombannercode"><?php echo $_row->custombannercode;?></textarea>

...should be:

<textarea class="inputbox" cols="70" rows="5" name="custombannercode"><?php echo htmlspecialchars($_row->custombannercode);?></textarea>


com_bannersmanager:admin.bannersmanager.html.php#line410

<textarea class="inputbox" cols="70" rows="5" name="custombannercode"><?php echo $_row->custombannercode;?></textarea>

...should be:

<textarea class="inputbox" cols="70" rows="5" name="custombannercode"><?php echo htmlspecialchars($_row->custombannercode);?></textarea>
Opened On:
26 Apr 2010, 17:55 by Sam Evans
Status:
Open

Filed Under

  • Administrator
  • Apache 2.2.x
  • Firefox 2.x
  • MySQL 5.0.x
  • PHP 5.2.x
  • Templates