Protect these two vars with htmlspecialchars

I wasn't able to exploit this but given how they are used, seems like it is only a matter of time before someone finds a way.
author: jim-p <jimp@pfsense.org> 2015-11-23 15:57:33 -0500
committer: jim-p <jimp@pfsense.org> 2015-11-23 16:06:49 -0500
commit: 0f26fc5a3fd730bf8ab006513389e6ddb1fff516 (patch)
tree: 6f04535a1b042661ddce613c8025dee6f968ea77 /src/usr/local/www/pkg_mgr_install.php
parent: 1c72e99f58fe901a4c2664aac1955927ebce58f1 (diff)
download: pfsense-0f26fc5a3fd730bf8ab006513389e6ddb1fff516.zip
pfsense-0f26fc5a3fd730bf8ab006513389e6ddb1fff516.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/usr/local/www/pkg_mgr_install.php b/src/usr/local/www/pkg_mgr_install.php
index ba4dc2e..08a6f7f 100644
--- a/src/usr/local/www/pkg_mgr_install.php
+++ b/src/usr/local/www/pkg_mgr_install.php
@@ -389,8 +389,8 @@ if (!empty($_POST['id']) || $_POST['mode'] == "reinstallall"):
 		$start_polling = true;
 	}
 ?>
-	<input type="hidden" name="id" value="<?=$_POST['id']?>" />
-	<input type="hidden" name="mode" value="<?=$_POST['mode']?>" />
+	<input type="hidden" name="id" value="<?=htmlspecialchars($_POST['id'])?>" />
+	<input type="hidden" name="mode" value="<?=htmlspecialchars($_POST['mode'])?>" />
 	<input type="hidden" name="completed" value="true" />
 
 	<div id="countdown" style="text-align: center;"></div>
author	jim-p <jimp@pfsense.org>	2015-11-23 15:57:33 -0500
committer	jim-p <jimp@pfsense.org>	2015-11-23 16:06:49 -0500
commit	0f26fc5a3fd730bf8ab006513389e6ddb1fff516 (patch)
tree	6f04535a1b042661ddce613c8025dee6f968ea77 /src/usr/local/www/pkg_mgr_install.php
parent	1c72e99f58fe901a4c2664aac1955927ebce58f1 (diff)
download	pfsense-0f26fc5a3fd730bf8ab006513389e6ddb1fff516.zip pfsense-0f26fc5a3fd730bf8ab006513389e6ddb1fff516.tar.gz