diff options
| author | Phil Davis <phil.davis@inf.org> | 2016-01-25 13:59:11 +0545 |
|---|---|---|
| committer | Phil Davis <phil.davis@inf.org> | 2016-01-25 13:59:11 +0545 |
| commit | 9fa1712002c42cc3aa5467e9d769c7d036bd880e (patch) | |
| tree | 69f79984169b771df74d515d92620716125b9b5f | |
| parent | b5b8f8dd2f02566a928cc620a83788fd44a97fad (diff) | |
| download | pfsense-9fa1712002c42cc3aa5467e9d769c7d036bd880e.zip pfsense-9fa1712002c42cc3aa5467e9d769c7d036bd880e.tar.gz | |
Wrap pkg_full_path in htmlspecialchars()
Because it contains $xml which is itself wrapped in htmlspecialchars() for display.
| -rwxr-xr-x | usr/local/www/pkg.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/local/www/pkg.php b/usr/local/www/pkg.php index b8a97e1..945559f 100755 --- a/usr/local/www/pkg.php +++ b/usr/local/www/pkg.php @@ -55,10 +55,10 @@ if($xml == "") { $pkg_full_path = "{$pkg_xml_prefix}/{$xml}"; $pkg_realpath = realpath($pkg_full_path); if (empty($pkg_realpath)) { - $path_error = sprintf(gettext("ERROR: Package path %s not found."), $pkg_full_path); + $path_error = sprintf(gettext("ERROR: Package path %s not found."), htmlspecialchars($pkg_full_path)); } else { if (substr_compare($pkg_realpath, $pkg_xml_prefix, 0, strlen($pkg_xml_prefix))) { - $path_error = sprintf(gettext("ERROR: Invalid path %s specified."), $pkg_full_path); + $path_error = sprintf(gettext("ERROR: Invalid path %s specified."), htmlspecialchars($pkg_full_path)); } } |
