diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2008-02-12 04:40:35 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2008-02-12 04:40:35 +0000 |
| commit | d8c1a6c53c524714ad61dbcced0040108312a260 (patch) | |
| tree | 6db2c41cf27483aa10c475cc19f0ff219a679296 /usr/local/www/pkg_edit.php | |
| parent | 017648626c9e36526edd3a6212650f431ac16841 (diff) | |
| download | pfsense-d8c1a6c53c524714ad61dbcced0040108312a260.zip pfsense-d8c1a6c53c524714ad61dbcced0040108312a260.tar.gz | |
Make scripts XSS input safe.
Pointed-out: by hoopercharles@gmail.com
Diffstat (limited to 'usr/local/www/pkg_edit.php')
| -rwxr-xr-x | usr/local/www/pkg_edit.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index f7a5bc7..5a5ffdf 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -39,9 +39,8 @@ function gentitle_pkg($pgname) { return $pfSense_config['system']['hostname'] . "." . $pfSense_config['system']['domain'] . " - " . $pgname; } -// XXX: Make this input safe. -$xml = $_GET['xml']; -if($_POST['xml']) $xml = $_POST['xml']; +$xml = htmlspecialchars($_GET['xml']); +if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']); if($xml == "") { print_info_box_np(gettext("ERROR: No package defined.")); @@ -68,7 +67,7 @@ $pgtitle = $title; $id = $_GET['id']; if (isset($_POST['id'])) - $id = $_POST['id']; + $id = htmlspecialchars($_POST['id']); if($pkg['custom_php_global_functions'] <> "") eval($pkg['custom_php_global_functions']); @@ -80,7 +79,7 @@ if(!is_array($config['installedpackages'][xml_safe_fieldname($pkg['name'])]['con $a_pkg = &$config['installedpackages'][xml_safe_fieldname($pkg['name'])]['config']; if($_GET['savemsg'] <> "") - $savemsg = $_GET['savemsg']; + $savemsg = htmlspecialchars($_GET['savemsg']); if($pkg['custom_php_command_before_form'] <> "") eval($pkg['custom_php_command_before_form']); |
