[@_ck_ Participant 15 years, 10 months ago]

This is a quick and dirty security fix. Only tested on a basic level.

This code is for the original, not detective’s mod which I will examine tomorrow unless Detective wants to apply the stuff below himself…

replace around line 100 the entire function pm_new_message

from:

function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){

...

}

to this:

function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){

global $bbdb, $bb_table_prefix;



$created_on = bb_current_time('mysql');

$id_receiver = intval($id_receiver);

$id_sender = intval($id_sender);



$pmtitle=substr(strip_tags($pmtitle),0,64);

remove_filter('pre_post', 'post_regulation');

$message=substr($message,0,2048);

$message=force_balance_tags($message);

$message=apply_filters('pre_post',$message,0,0);

$message=apply_filters('post_text',$message,0);



$pmtitle=mysql_real_escape_string($pmtitle);

$message=mysql_real_escape_string($message);



$bbdb->query("INSERT INTO ".$bb_table_prefix."privatemessages

(id_sender, id_receiver, pmtitle, message, created_on)

VALUES

('$id_sender', '$id_receiver', '$pmtitle',  '$message','$created_on')");

}

This patch should in theory make it virtually completely sanitized (but still not completely validated unfortunately) and has the added bonus that most other plugins that affect posts like bb-smilies, etc. should work inside PM’s