diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-05-25 11:10:45 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-05-25 11:10:45 -0300 |
commit | ac880ee72b4ff0859ef7473f0d96c1d9f98f0427 (patch) | |
tree | c802432eb9c917f862830a7724d087e0d4c1c886 | |
parent | 85a37985b15c7a7c935d0028aa7a520110c2e649 (diff) | |
download | pfsense-ac880ee72b4ff0859ef7473f0d96c1d9f98f0427.zip pfsense-ac880ee72b4ff0859ef7473f0d96c1d9f98f0427.tar.gz |
Call htmlspecialchars() to remove dangerouns chars from zone parameter. Also redirect user to services_captiveportal_zones.php when an invalid zone is passed
-rw-r--r-- | usr/local/www/services_captiveportal_zones.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/usr/local/www/services_captiveportal_zones.php b/usr/local/www/services_captiveportal_zones.php index 8974167..3b865ed 100644 --- a/usr/local/www/services_captiveportal_zones.php +++ b/usr/local/www/services_captiveportal_zones.php @@ -49,7 +49,7 @@ if (!is_array($config['captiveportal'])) $a_cp = &$config['captiveportal']; if ($_GET['act'] == "del" && !empty($_GET['zone'])) { - $cpzone = $_GET['zone']; + $cpzone = htmlspecialchars($_GET['zone']); if ($a_cp[$cpzone]) { $cpzoneid = $a_cp[$cpzone]['zoneid']; unset($a_cp[$cpzone]['enable']); @@ -58,9 +58,9 @@ if ($_GET['act'] == "del" && !empty($_GET['zone'])) { if (isset($config['voucher'][$cpzone])) unset($config['voucher'][$cpzone]); write_config(); - header("Location: services_captiveportal_zones.php"); - exit; } + header("Location: services_captiveportal_zones.php"); + exit; } $pgtitle = array(gettext("Captive Portal"),gettext("Zones")); |