diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2007-12-04 00:14:20 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2007-12-04 00:14:20 +0000 |
| commit | 21eff66f3199bb0c50c9ea5a9a473043dd4991a1 (patch) | |
| tree | 948f7a50ad4b0aae2842f8935685780519d82ad8 /usr/local/www/firewall_nat_edit.php | |
| parent | ce0a5816476bd4703b85a30396123f13da5be174 (diff) | |
| download | pfsense-21eff66f3199bb0c50c9ea5a9a473043dd4991a1.zip pfsense-21eff66f3199bb0c50c9ea5a9a473043dd4991a1.tar.gz | |
Use htmlentities() to detect html injections.
Diffstat (limited to 'usr/local/www/firewall_nat_edit.php')
| -rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index a8f0031..6b5ab58 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -80,9 +80,10 @@ if (isset($_GET['dup'])) /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ -foreach($_POST as $post) { - $newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto"); - if($newpost <> $post) +foreach ($_POST as $key => $value) { + $temp = $value; + $newpost = htmlentities($temp); + if($newpost <> $temp) $input_errors[] = "Invalid characters detected. Please remove invalid characters and save again."; } |
