summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-06-17 14:53:50 -0300
committerRenato Botelho <garga@FreeBSD.org>2014-06-17 14:53:50 -0300
commit860b102acbdb8f7ea702c2f63c5216904428cf1d (patch)
tree1784d03246423514c82bf4ea0ec17b07d0b22aa5
parent3034b371853240299c8510782e4546896710b9b8 (diff)
downloadpfsense-860b102acbdb8f7ea702c2f63c5216904428cf1d.zip
pfsense-860b102acbdb8f7ea702c2f63c5216904428cf1d.tar.gz
Protect rssfeed parameters with htmlspecialchars()
-rw-r--r--usr/local/www/widgets/widgets/rss.widget.php12
1 files changed, 6 insertions, 6 deletions
diff --git a/usr/local/www/widgets/widgets/rss.widget.php b/usr/local/www/widgets/widgets/rss.widget.php
index 4ec4b7f..53166bc 100644
--- a/usr/local/www/widgets/widgets/rss.widget.php
+++ b/usr/local/www/widgets/widgets/rss.widget.php
@@ -33,10 +33,10 @@ require_once("pfsense-utils.inc");
require_once("functions.inc");
if($_POST['rssfeed']) {
- $config['widgets']['rssfeed'] = str_replace("\n", ",", $_POST['rssfeed']);
- $config['widgets']['rssmaxitems'] = str_replace("\n", ",", $_POST['rssmaxitems']);
- $config['widgets']['rsswidgetheight'] = $_POST['rsswidgetheight'];
- $config['widgets']['rsswidgettextlength'] = $_POST['rsswidgettextlength'];
+ $config['widgets']['rssfeed'] = str_replace("\n", ",", htmlspecialchars($_POST['rssfeed'], ENT_QUOTES | ENT_HTML401));
+ $config['widgets']['rssmaxitems'] = str_replace("\n", ",", htmlspecialchars($_POST['rssmaxitems'], ENT_QUOTES | ENT_HTML401));
+ $config['widgets']['rsswidgetheight'] = htmlspecialchars($_POST['rsswidgetheight'], ENT_QUOTES | ENT_HTML401);
+ $config['widgets']['rsswidgettextlength'] = htmlspecialchars($_POST['rsswidgettextlength'], ENT_QUOTES | ENT_HTML401);
write_config("Saved RSS Widget feed via Dashboard");
Header("Location: /");
}
@@ -48,10 +48,10 @@ if($config['widgets']['rssfeed'])
if($config['widgets']['rssmaxitems'])
$max_items = $config['widgets']['rssmaxitems'];
-if($config['widgets']['rsswidgetheight'])
+if(is_numeric($config['widgets']['rsswidgetheight']))
$rsswidgetheight = $config['widgets']['rsswidgetheight'];
-if($config['widgets']['rsswidgettextlength'])
+if(is_numeric($config['widgets']['rsswidgettextlength']))
$rsswidgettextlength = $config['widgets']['rsswidgettextlength'];
// Set a default feed if none exists
OpenPOWER on IntegriCloud