[H-13] Escalation post body written raw

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/ForumController.php:2458-2462

Bug: $_POST['body'] trimmed then inserted without purify. Subject also unescaped.

Fix: MarkdownService::purify($body) and htmlspecialchars subject before ForumPost::create.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:37pm

Resolved.

Purified ForumController::escalate before writing to forum_posts.body (src/Controllers/ForumController.php):

  • $subject runs through htmlspecialchars(..., ENT_QUOTES) and is length-capped.
  • $body runs through MarkdownService::purify() before being interpolated into $fullBody.

A malicious moderator can no longer inject <script> or <iframe> into the admin-only escalation thread.

Locking this thread.

Related Discussions

Added composite indexes on forum_posts, file_uploads, messages
Important Alerts · 0 replies · 1 views
[forum.post_purged] Purged post #151 in thread #163
Admin System Log Files · 0 replies · 1 views
[M-24] closeEscalation notes not purified; slug derived from user input
Security Issues · 0 replies · 1 views
[M-17] startConversation (POST) doesn't check recipient role >= 2
Security Issues · 0 replies · 0 views
[M-4] SystemPostService::postCriticalLogs can loop on persistent forum-post failures
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy