From d15e8509b01ff2dbbe3028a055021a29b1065b22 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Thu, 8 Sep 2011 17:56:47 +0200
Subject: [PATCH] SECURITY Using JSON instead of serialize() to stringify user
 data in PageCommentsInterface

---
 code/sitefeatures/PageCommentInterface.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/code/sitefeatures/PageCommentInterface.php b/code/sitefeatures/PageCommentInterface.php
index 84568ec8..92823f4c 100755
--- a/code/sitefeatures/PageCommentInterface.php
+++ b/code/sitefeatures/PageCommentInterface.php
@@ -222,7 +222,7 @@ class PageCommentInterface extends RequestHandler {
 			foreach($fields as $field) {
 				if(!$field instanceof HiddenField) $visibleFields[] = $field->Name();
 			}
-			$form->loadDataFrom(unserialize($cookie), false, $visibleFields);
+			$form->loadDataFrom(Convert::json2array($cookie), false, $visibleFields);
 		}
 
 		return $form;
@@ -272,7 +272,7 @@ class PageCommentInterface extends RequestHandler {
  */
 class PageCommentInterface_Form extends Form {
 	function postcomment($data) {
-		Cookie::set("PageCommentInterface_Data", serialize($data));
+		Cookie::set("PageCommentInterface_Data", Convert::raw2json($data));
 
 		// Spam filtering
 		if(SSAkismet::isEnabled()) {
@@ -333,7 +333,7 @@ class PageCommentInterface_Form extends Form {
 		$comment->write();
 		
 		unset($data['Comment']);
-		Cookie::set("PageCommentInterface_Data", serialize($data));
+		Cookie::set("PageCommentInterface_Data", Convert::raw2json($data));
 		
 		$moderationMsg = _t('PageCommentInterface_Form.AWAITINGMODERATION', "Your comment has been submitted and is now awaiting moderation.");