[M-24] closeEscalation notes not purified; slug derived from user input

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AdminModerationController.php:407-440

Bug: Resolution notes written raw; threadSlug derived from $report['source_url'] which was user-controlled at report time.

Fix: Purify notes; validate threadSlug against /^escalation-[0-9a-f]{8}$/.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:55pm

Resolved.

Two changes in AdminModerationController::closeEscalation (src/Controllers/AdminModerationController.php):

  1. Slug validation: the $threadSlug derived from report.source_url is checked against /^escalation-[0-9a-f]{8}$/ (the exact shape ForumController::escalate mints). A poisoned source_url stored at report-creation time can no longer redirect the admin reply into an unrelated thread.
  2. Notes purification: $notes now runs through MarkdownService::purify() before being interpolated into the reply body; $verdict and $actor['username'] run through htmlspecialchars(ENT_QUOTES).

Locking this thread.

Related Discussions

Escalation workflow: tracking, resolution notes, team feedback
Important Alerts · 0 replies · 1 views
License notes for your public project files
BOMs, Files & Resources · 0 replies · 2 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy