diff options
| author | Evgeny Yurchenko <ey@tm-k.com> | 2011-05-27 21:55:22 +0000 |
|---|---|---|
| committer | Evgeny Yurchenko <ey@tm-k.com> | 2011-05-27 21:55:22 +0000 |
| commit | b45babaeb55ac039f498d13ce556f2d04d4db1f4 (patch) | |
| tree | 5698601812bf8e52323d51256242b3e1a0dacc83 /usr/local/www/firewall_nat_out_edit.php | |
| parent | ce91583bde65545591fd813ba4183ef86571f466 (diff) | |
| download | pfsense-b45babaeb55ac039f498d13ce556f2d04d4db1f4.zip pfsense-b45babaeb55ac039f498d13ce556f2d04d4db1f4.tar.gz | |
Bug #1403. Filter Rules description do not get saved when "(quote) present as character
Diffstat (limited to 'usr/local/www/firewall_nat_out_edit.php')
| -rwxr-xr-x | usr/local/www/firewall_nat_out_edit.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2..5057ea8 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -115,6 +115,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); |
