From 224fe02c3b03cfe20dd6037e4d42306126fa86f5 Mon Sep 17 00:00:00 2001
From: Sean Harvey <sean@silverstripe.com>
Date: Thu, 6 Nov 2008 00:36:58 +0000
Subject: [PATCH] BUGFIX Fixed some potential security issues in BlogHolder
 page type

---
 code/BlogHolder.php | 38 ++++++++++++++++----------------------
 1 file changed, 16 insertions(+), 22 deletions(-)

diff --git a/code/BlogHolder.php b/code/BlogHolder.php
index 58acc8a..c3027af 100644
--- a/code/BlogHolder.php
+++ b/code/BlogHolder.php
@@ -53,7 +53,7 @@ class BlogHolder extends Page {
 	
 		return $fields;
 	}
-	
+
 	/**
 	 * Get entries in this blog.
 	 * @param string limit A clause to insert into the limit clause.
@@ -66,9 +66,8 @@ class BlogHolder extends Page {
 		$dateCheck = '';
 		
 		if($tag) {
-			$SQL_tag = addslashes($tag);
-			$SQL_tag = str_replace(array("\\",'_','%',"'"), array("\\\\","\\_","\\%","\\'"), $tag);
-			$tagCheck = "AND `BlogEntry`.Tags LIKE '%$tag%'";
+			$SQL_tag = Convert::raw2sql($tag);
+			$tagCheck = "AND `BlogEntry`.Tags LIKE '%$SQL_tag%'";
 		}
 		
 		if($date) {
@@ -95,9 +94,8 @@ class BlogHolder extends Page {
 	 */
 	function ShowTag() {
 		if(Director::urlParam('Action') == 'tag') {
-			return Director::urlParam('ID');
+			return Convert::raw2xml(Director::urlParam('ID'));
 		}
-		return isset($_GET['tag']) ? $_GET['tag'] : false;
 	}
 	
 	/**
@@ -111,10 +109,10 @@ class BlogHolder extends Page {
 		Requirements::javascript('blog/javascript/bbcodehelp.js');
 					
 		$id = 0;
-		if(Director::urlParam('ID')){
-			$id = Director::urlParam('ID');
+		if(Director::urlParam('ID')) {
+			$id = (int) Director::urlParam('ID');
 		}
-				
+		
 		$codeparser = new BBCodeParser();
 		$membername = Member::currentMember() ? Member::currentMember()->getName() : "";
 		
@@ -140,10 +138,10 @@ class BlogHolder extends Page {
 			
 		$form = new BlogEntry_Form($this, 'BlogEntryForm',$fields, $actions,$validator);
 	
-		if($id != 0){
-			$form->loadNonBlankDataFrom(DataObject::get_by_id('BlogEntry',$id));
-		}else{
-				$form->loadNonBlankDataFrom(array("Author" => Cookie::get("BlogHolder_Name")));
+		if($id != 0) {
+			$form->loadNonBlankDataFrom(DataObject::get_by_id('BlogEntry', $id));
+		} else {
+			$form->loadNonBlankDataFrom(array("Author" => Cookie::get("BlogHolder_Name")));
 		}
 		
 		return $form;
@@ -152,7 +150,7 @@ class BlogHolder extends Page {
 	/**
 	 * Check if url has "/post"
 	 */
-	function isPost(){
+	function isPost() {
 		return Director::urlParam('Action') == 'post';
 	}
 	
@@ -160,7 +158,7 @@ class BlogHolder extends Page {
 	 * Link for creating a new blog entry
 	 */
 	function postURL(){
-		return  $this->Link('post');
+		return $this->Link('post');
 	}
 	
 	/**
@@ -224,16 +222,11 @@ class BlogHolder_Controller extends Page_Controller {
 	}
 	
 	function BlogEntries($limit = 10) {
-		$start = isset($_GET['start']) ? (int)$_GET['start'] : 0;
+		$start = isset($_GET['start']) ? (int) $_GET['start'] : 0;
 		$tag = '';
 		$date = '';
 		
-		if(isset($_GET['tag'])) {
-			$tag = $_GET['tag'];
-		}
-		
-		
-		if(Director::urlParams()){
+		if(Director::urlParams()) {
 			if(Director::urlParam('Action') == 'tag') {
 				$tag = Director::urlParam('ID');
 			} else {
@@ -271,6 +264,7 @@ class BlogHolder_Controller extends Page_Controller {
 		
 		return $output;
 	}
+	
 	function tag() {
 		if($this->ShowTag()) {
 			return array(