BUGFIX: Fixes an XSS issue in the comment form

This fixes an issue with the comment form which accepts unvalidated user input and can result in XSS exploitations. Resolves #17
robertlemke · Mar 22, 2016 · fadcdbc · fadcdbc
1 parent 4a90bef
commit fadcdbc
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/Classes/RobertLemke/Plugin/Blog/Controller/CommentController.php b/Classes/RobertLemke/Plugin/Blog/Controller/CommentController.php
@@ -61,6 +61,10 @@ public function createAction(NodeInterface $postNode, NodeTemplate $newComment)
             $this->throwStatus(400, 'Your comment was NOT created - it was too short.');
         }
 
+        $newComment->setProperty('text', filter_var($newComment->getProperty('text'), FILTER_SANITIZE_STRIPPED));
+        $newComment->setProperty('author', filter_var($newComment->getProperty('author'), FILTER_SANITIZE_STRIPPED));
+        $newComment->setProperty('emailAddress', filter_var($newComment->getProperty('emailAddress'), FILTER_SANITIZE_STRIPPED));
+
         $commentNode = $postNode->getNode('comments')->createNodeFromTemplate($newComment, uniqid('comment-'));
         $commentNode->setProperty('spam', false);
         $commentNode->setProperty('datePublished', new \DateTime());