diff options
author | jim-p <jimp@pfsense.org> | 2015-11-23 15:57:33 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-11-23 16:06:49 -0500 |
commit | 0f26fc5a3fd730bf8ab006513389e6ddb1fff516 (patch) | |
tree | 6f04535a1b042661ddce613c8025dee6f968ea77 /src/usr/local/www/pkg_mgr_install.php | |
parent | 1c72e99f58fe901a4c2664aac1955927ebce58f1 (diff) | |
download | pfsense-0f26fc5a3fd730bf8ab006513389e6ddb1fff516.zip pfsense-0f26fc5a3fd730bf8ab006513389e6ddb1fff516.tar.gz |
Protect these two vars with htmlspecialchars
I wasn't able to exploit this but given how they are used, seems like it is only a matter of time before someone finds a way.
Diffstat (limited to 'src/usr/local/www/pkg_mgr_install.php')
-rw-r--r-- | src/usr/local/www/pkg_mgr_install.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/usr/local/www/pkg_mgr_install.php b/src/usr/local/www/pkg_mgr_install.php index ba4dc2e..08a6f7f 100644 --- a/src/usr/local/www/pkg_mgr_install.php +++ b/src/usr/local/www/pkg_mgr_install.php @@ -389,8 +389,8 @@ if (!empty($_POST['id']) || $_POST['mode'] == "reinstallall"): $start_polling = true; } ?> - <input type="hidden" name="id" value="<?=$_POST['id']?>" /> - <input type="hidden" name="mode" value="<?=$_POST['mode']?>" /> + <input type="hidden" name="id" value="<?=htmlspecialchars($_POST['id'])?>" /> + <input type="hidden" name="mode" value="<?=htmlspecialchars($_POST['mode'])?>" /> <input type="hidden" name="completed" value="true" /> <div id="countdown" style="text-align: center;"></div> |