source/function/function_blog.php 226行

1
'message' => $message,

改成

1
'message' => dhtmlspecialchars($message),

大大的家园日志跨站啊,咱什么也不说了= =

source/admincp/admincp_members.php

1
cpmsg('members_delete_confirm', "action=members&operation=clean&submit=yes&confirmed=yes"

改成

1
cpmsg('members_delete_confirm', "action=members&operation=clean&submit=yes&confirmed=yes&formhash=".FORMHASH

然后

1
if(!submitcheck('includepost')) {

上加

1
if($_GET['formhash'] != FORMHASH) cpmsg('members_no_find_deluser', '', 'error');