diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-12-03 20:33:46 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-12-03 20:33:46 +0000 |
commit | ef2a753c7566a17da87c93de0d933259f89c87d8 (patch) | |
tree | cdc9d19604b5c7ad7c9ab018d61b030169c37a94 /usr/local/www/firewall_nat_edit.php | |
parent | 6c1721d86b1bdfabdea4938f04bef89d6372a9c4 (diff) | |
download | pfsense-ef2a753c7566a17da87c93de0d933259f89c87d8.zip pfsense-ef2a753c7566a17da87c93de0d933259f89c87d8.tar.gz |
* Run through all posted values and encode them to a temporary variable. IF the contents differ then the operator is doing something bad. Simply reject the item with invalid character error and let them fix their XSS exploit attempt, etc.
Diffstat (limited to 'usr/local/www/firewall_nat_edit.php')
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index c840029..6e111d8 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -77,6 +77,15 @@ if($id) { if (isset($_GET['dup'])) unset($id); +/* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ +foreach($_POST as $post) { + $newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto"); + if($newpost <> $post) + $input_errors[] = "Invalid characters detected. Please remove invalid characters and save again."; +} + if ($_POST) { if ($_POST['beginport_cust'] && !$_POST['beginport']) |