The real fix for this is to edit the following in the settingsfunctions.php:
Line 33:
return htmlentities(trim($_REQUEST[$varName]), ENT_QUOTES);
Lines 51-59:
$rec = array(
'user_id' => $cfg['user'],
'file' => $file,
'action' => $action,
'ip' => htmlentities($cfg['ip'], ENT_QUOTES),
'ip_resolved' => htmlentities($host_resolved, ENT_QUOTES),
'user_agent' => htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES),
'time' => $create_time
);
By doing this, all the request/get vars will be scrubed as well as any logging of user-agents and IP addresses reported by the visitor.
We are planning a TF 2.1.1 release very soon.
Author