From 548b65ad73058289812e59ac1cfba1f9b3a17de4 Mon Sep 17 00:00:00 2001 From: Aleteoryx Date: Thu, 15 Aug 2024 23:15:01 +0100 Subject: fix *more* csv escaping issues --- visitors.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'visitors.php') diff --git a/visitors.php b/visitors.php index 4073598..b50756f 100644 --- a/visitors.php +++ b/visitors.php @@ -503,6 +503,7 @@ session_start(['cookie_lifetime' => 1440]); function cleanup_post() { global $config; + $ws = ["\r", "\n"]; // error_log(var_export($_POST, true)); if ($config['captcha'] && (@$_SESSION['captcha'] !== htmlentities($_POST['captcha']??''))) { return "Invalid captcha!"; @@ -510,9 +511,9 @@ function cleanup_post() { if (isset($_POST['site-or-email'])) { $_POST['site-or-email'] = trim($_POST['site-or-email']); if (preg_match('/^(?:https?|gopher|gemini):\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/', $_POST['site-or-email'])) - $_POST['website'] = htmlentities($_POST['site-or-email']); + $_POST['website'] = str_replace(["\r", "\n"], "", htmlentities($_POST['site-or-email'])); else if (preg_match('/^[a-zA-Z0-9.!#$%&’*+\/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/', $_POST['site-or-email'])) - $_POST['email'] = htmlentities($_POST['site-or-email']); + $_POST['email'] = str_replace(["\r", "\n"], "", htmlentities($_POST['site-or-email'])); else return "Invalid Website URL or E-Mail!"; } else { @@ -521,15 +522,17 @@ function cleanup_post() { if (!preg_match('/^(?:https?|gopher|gemini):\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/', $_POST['website'])) return "Invalid Website URL!"; $_POST['website'] = htmlentities($_POST['website']); + $_POST['website'] = str_replace(["\r", "\n"], "", $_POST['email']); } if (isset($_POST['email']) && $_POST['email'] !== '') { $_POST['email'] = trim($_POST['email']); if (!preg_match('/^[a-zA-Z0-9.!#$%&’*+\/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/', $_POST['email'])) return "Invalid E-Mail!"; $_POST['email'] = htmlentities($_POST['email']); + $_POST['email'] = str_replace(["\r", "\n"], "", $_POST['email']); } } - $_POST['name'] = htmlentities($_POST['name']); + $_POST['name'] = str_replace(["\r", "\n"], "", htmlentities($_POST['name'])); $_POST['message'] = implode('
', explode("\n", htmlentities($_POST['message']))); if (mb_strlen($_POST['name']) > 128) -- cgit v1.2.3-70-g09d2