* Run through all posted values and encode them to a temporary variable. IF the contents differ then the operator is doing something bad. Simply reject the item with invalid character error and let them fix their XSS exploit attempt, etc.

2 files changed, 18 insertions, 0 deletions

diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php
index c840029..6e111d8 100755
--- a/usr/local/www/firewall_nat_edit.php
+++ b/usr/local/www/firewall_nat_edit.php
@@ -77,6 +77,15 @@ if($id) {
 if (isset($_GET['dup']))
 	unset($id);
 
+/*  run through $_POST items encoding HTML entties so that the user
+ *  cannot think he is slick and perform a XSS attack on the unwilling 
+ */
+foreach($_POST as $post) {
+	$newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto");
+	if($newpost <> $post) 
+		$input_errors[] = "Invalid characters detected.  Please remove invalid characters and save again.";		
+}
+
 if ($_POST) {
 
 	if ($_POST['beginport_cust'] && !$_POST['beginport'])
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index 15b0eda..cd427d4 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -188,6 +188,15 @@ if ($_POST) {
 	unset($input_errors);
 	$pconfig = $_POST;
 
+	/*  run through $_POST items encoding HTML entties so that the user
+	 *  cannot think he is slick and perform a XSS attack on the unwilling 
+	 */
+	foreach($_POST as $post) {
+		$newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto");
+		if($newpost <> $post) 
+			$input_errors[] = "Invalid characters detected.  Please remove invalid characters and save again.";		
+	}
+
 	/* input validation */
 	$reqdfields = explode(" ", "type interface proto src dst");
 	$reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination");