diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 14:53:50 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 14:53:50 -0300 |
commit | 860b102acbdb8f7ea702c2f63c5216904428cf1d (patch) | |
tree | 1784d03246423514c82bf4ea0ec17b07d0b22aa5 | |
parent | 3034b371853240299c8510782e4546896710b9b8 (diff) | |
download | pfsense-860b102acbdb8f7ea702c2f63c5216904428cf1d.zip pfsense-860b102acbdb8f7ea702c2f63c5216904428cf1d.tar.gz |
Protect rssfeed parameters with htmlspecialchars()
-rw-r--r-- | usr/local/www/widgets/widgets/rss.widget.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/usr/local/www/widgets/widgets/rss.widget.php b/usr/local/www/widgets/widgets/rss.widget.php index 4ec4b7f..53166bc 100644 --- a/usr/local/www/widgets/widgets/rss.widget.php +++ b/usr/local/www/widgets/widgets/rss.widget.php @@ -33,10 +33,10 @@ require_once("pfsense-utils.inc"); require_once("functions.inc"); if($_POST['rssfeed']) { - $config['widgets']['rssfeed'] = str_replace("\n", ",", $_POST['rssfeed']); - $config['widgets']['rssmaxitems'] = str_replace("\n", ",", $_POST['rssmaxitems']); - $config['widgets']['rsswidgetheight'] = $_POST['rsswidgetheight']; - $config['widgets']['rsswidgettextlength'] = $_POST['rsswidgettextlength']; + $config['widgets']['rssfeed'] = str_replace("\n", ",", htmlspecialchars($_POST['rssfeed'], ENT_QUOTES | ENT_HTML401)); + $config['widgets']['rssmaxitems'] = str_replace("\n", ",", htmlspecialchars($_POST['rssmaxitems'], ENT_QUOTES | ENT_HTML401)); + $config['widgets']['rsswidgetheight'] = htmlspecialchars($_POST['rsswidgetheight'], ENT_QUOTES | ENT_HTML401); + $config['widgets']['rsswidgettextlength'] = htmlspecialchars($_POST['rsswidgettextlength'], ENT_QUOTES | ENT_HTML401); write_config("Saved RSS Widget feed via Dashboard"); Header("Location: /"); } @@ -48,10 +48,10 @@ if($config['widgets']['rssfeed']) if($config['widgets']['rssmaxitems']) $max_items = $config['widgets']['rssmaxitems']; -if($config['widgets']['rsswidgetheight']) +if(is_numeric($config['widgets']['rsswidgetheight'])) $rsswidgetheight = $config['widgets']['rsswidgetheight']; -if($config['widgets']['rsswidgettextlength']) +if(is_numeric($config['widgets']['rsswidgettextlength'])) $rsswidgettextlength = $config['widgets']['rsswidgettextlength']; // Set a default feed if none exists |