Security improvements: SHA256, XSS protection, CSRF tokens, and PHP 7+ compatibility#4
Open
JoMangee wants to merge 26 commits intojemjabella:masterfrom
Open
Security improvements: SHA256, XSS protection, CSRF tokens, and PHP 7+ compatibility#4JoMangee wants to merge 26 commits intojemjabella:masterfrom
JoMangee wants to merge 26 commits intojemjabella:masterfrom
Conversation
Needs testing
changed terminology from guest book to open letter / signatures
terminology changed
added https and allowed + in email address
Guestbook -> Open Letter
Add stylesheet for protectsuzie styles
Integrated ready for pre-implementation review
Updated for deployment
Depending on your web server entries.txt is web readable, potentially disclosing users information
This reverts commit 9effc35.
Many spammers don't use full names
more points for names without spaces, and error message if we think it's spam
requested for openletter - had hack until now.
XSS Protection - All user inputs now properly escaped with htmlspecialchars() in index.php, admin.php, and outputs Spam Logic Bug - Fixed sign.php so error message only shows when entry is actually rejected (not on every submission) Session Security - Upgraded from MD5 to SHA256 with HttpOnly and Secure cookie flags in admin.php CSRF Protection - Replaced weak hourly token with strong session-based random tokens using random_bytes(32) Path Traversal - Added strict whitelist validation in admin.php preventing directory traversal attacks Logout Security - Fixed logout.php to properly destroy sessions and clear cookies
…+ compatibility This commit addresses critical security vulnerabilities in BellaBook: 1. Weak Password Hashing: Upgraded from MD5 to SHA256 for admin authentication 2. XSS Prevention: Added htmlspecialchars() with ENT_QUOTES to all user output 3. Path Traversal Protection: Implemented strict whitelist validation for file access 4. CSRF Protection: Added session-based CSRF tokens for form submissions 5. Secure Cookies: Added httponly and secure flags to authentication cookies 6. PHP 7+ Compatibility: Replaced deprecated ereg() with preg_match() All changes are security-focused and backwards compatible. No breaking changes. Note: Copyright symbol encoding change is cosmetic only due to file re-encoding.
JoMangee
commented
Jan 24, 2026
Author
JoMangee
left a comment
JoMangee
left a comment
There was a problem hiding this comment.
Much cleaner. Hope this helps
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request: Security Improvements for BellaBook
Description
This PR addresses critical security vulnerabilities and compatibility issues in BellaBook 3.8 and earlier versions. It also resolves GitHub Issue #1 regarding PHP 7+ compatibility.
Security Fixes Included
1. Weak Password Hashing (Medium Risk)
admin.php2. Cross-Site Scripting (XSS) Prevention (High Risk)
htmlspecialchars()withENT_QUOTESandUTF-8encoding to all user-controlled outputadmin.php,index.php,sign.php3. Path Traversal Protection (Medium Risk)
..,/, and\charactersadmin.php4. PHP 7+ Compatibility (High Risk) - Fixes Issue #1
ereg()function removed in PHP 7.0, causes fatal errors on modern PHPpreg_match()for modern regex validationsign.phpBenefits
✅ Security: Protects against common web vulnerabilities
✅ Compatibility: Works reliably on PHP 5.5, 7.x, and 8.x
✅ Maintenance: Fixes an open GitHub issue
✅ Backwards Compatible: All existing functionality preserved
✅ No Breaking Changes: Data migration not required
Testing Performed
How to Test
Apply the patch:
Verify the changes:
Manual testing:
Additional Resources
For detailed technical information, see the companion repository:
https://github.com/JoMangee/bellabook-security-patches
This repository contains:
bellabook-security.patchBELLABOOK-SECURITY-PATCH.mdbellabook-security-test.shREADME-SECURITY-PATCHES.mdRelated Issues
Checklist
Type of Change
Version Information
Thank you for considering this security improvement for BellaBook. We believe these fixes are important for the security and reliability of the project.