diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 14:53:50 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 14:53:58 -0300 |
commit | e4921058c6c5e2cb99b997fcf2594e9a7e10a11e (patch) | |
tree | 3d5095b371362d4cb52c3ca5f05438ce97441ba5 | |
parent | 526f5b114a2f93c4dbe95127eb574a1d1eca1df8 (diff) | |
download | pfsense-e4921058c6c5e2cb99b997fcf2594e9a7e10a11e.zip pfsense-e4921058c6c5e2cb99b997fcf2594e9a7e10a11e.tar.gz |
Protect rssfeed parameters with htmlspecialchars()
-rw-r--r-- | usr/local/www/widgets/widgets/rss.widget.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/usr/local/www/widgets/widgets/rss.widget.php b/usr/local/www/widgets/widgets/rss.widget.php index 03cb01e..eecda05 100644 --- a/usr/local/www/widgets/widgets/rss.widget.php +++ b/usr/local/www/widgets/widgets/rss.widget.php @@ -33,10 +33,10 @@ require_once("pfsense-utils.inc"); require_once("functions.inc"); if($_POST['rssfeed']) { - $config['widgets']['rssfeed'] = str_replace("\n", ",", $_POST['rssfeed']); - $config['widgets']['rssmaxitems'] = str_replace("\n", ",", $_POST['rssmaxitems']); - $config['widgets']['rsswidgetheight'] = $_POST['rsswidgetheight']; - $config['widgets']['rsswidgettextlength'] = $_POST['rsswidgettextlength']; + $config['widgets']['rssfeed'] = str_replace("\n", ",", htmlspecialchars($_POST['rssfeed'], ENT_QUOTES | ENT_HTML401)); + $config['widgets']['rssmaxitems'] = str_replace("\n", ",", htmlspecialchars($_POST['rssmaxitems'], ENT_QUOTES | ENT_HTML401)); + $config['widgets']['rsswidgetheight'] = htmlspecialchars($_POST['rsswidgetheight'], ENT_QUOTES | ENT_HTML401); + $config['widgets']['rsswidgettextlength'] = htmlspecialchars($_POST['rsswidgettextlength'], ENT_QUOTES | ENT_HTML401); write_config("Saved RSS Widget feed via Dashboard"); header("Location: /"); } @@ -48,10 +48,10 @@ if($config['widgets']['rssfeed']) if($config['widgets']['rssmaxitems']) $max_items = $config['widgets']['rssmaxitems']; -if($config['widgets']['rsswidgetheight']) +if(is_numeric($config['widgets']['rsswidgetheight'])) $rsswidgetheight = $config['widgets']['rsswidgetheight']; -if($config['widgets']['rsswidgettextlength']) +if(is_numeric($config['widgets']['rsswidgettextlength'])) $rsswidgettextlength = $config['widgets']['rsswidgettextlength']; // Set a default feed if none exists |