From fc15dc3a94857be1537e145c27d448f4f9c308e6 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Fri, 10 Jun 2011 18:07:42 -0400 Subject: [PATCH] Issue #601776: Secure contact forms against impersonation. --- modules/contact/contact.pages.inc | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-) diff --git a/modules/contact/contact.pages.inc b/modules/contact/contact.pages.inc index 30b2825045fc6f5a8f3ecc85276f4d5a4497d214..da9553fdf4b5b179e6ec6d6f8f2c9069e51eeaf5 100644 --- a/modules/contact/contact.pages.inc +++ b/modules/contact/contact.pages.inc @@ -65,7 +65,7 @@ function contact_site_form($form, &$form_state) { '#type' => 'textfield', '#title' => t('Your name'), '#maxlength' => 255, - '#default_value' => $user->uid ? format_username($user) : '', + '#default_value' => $user->uid ? strip_tags(format_username($user)) : '', '#required' => TRUE, ); $form['mail'] = array( @@ -131,7 +131,19 @@ function contact_site_form_submit($form, &$form_state) { $values = $form_state['values']; $values['sender'] = $user; $values['sender']->name = $values['name']; + $user_info = array(); + $username = strip_tags(format_username($user)); + if ($username && $values['name'] !== $username) { + $user_info[] = $username; + } $values['sender']->mail = $values['mail']; + if ($user->mail && $values['mail'] !== $user->mail) { + $user_info[] = '<' . $user->mail . '>'; + } + if (!$user_info) { + $user_info[] = t('Verified'); + } + $values['sender']->name .= '(' . implode(' ', $user_info) . ')'; $values['category'] = contact_load($values['cid']); // Save the anonymous user information to a cookie for reuse. -- 1.7.4.1