Normal text input is scrubbed to ensure that people do not inject their own HTML tags, such as <b>, <h1>, <blink>, etc. This ensures that no one hijacks your chat with huge text, or blinking messages, etc.
This scrubbing is not done when someone changes their nick however. This allows people to use HTML tags for their nickname, causing all sorts of havoc, especially for IE users. Give it a try in your room and see what I mean. Name yourself <marquee> and then post something. Try changing your name to <blink> or <button>, etc. - it's a huge mess.
I did some poking around and saw that in src/commands/send.class.php input is scrubbed for special characters. I checked in /src/commands/nick.class.php and saw that input was not scrubbed. I added the following line after line 32 in /src/commands/nick.class.php
- Code: Select all
$newnick = phpFreeChat::FilterSpecialChar($newnick);
In case you have a different version of chat installed, for reference my line 32 read as so:
- Code: Select all
$newnick = phpFreeChat::FilterNickname($param);
I suppose you could probably nest the commands as well, if you're a stickler for line count:
- Code: Select all
$newnick = phpFreeChat::FilterSpecialChar(phpFreeChat::FilterNickname($param));
Either way you cut it, you should add this to your code to cover yourself.
kerphi, I hope this can make it into the next version of phpfreechat!
