diff options
author | Renato Botelho <garga@FreeBSD.org> | 2013-09-06 08:08:03 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2013-09-06 08:08:03 -0300 |
commit | 605ae5537da157adfb414cc8837d465c132f4c8c (patch) | |
tree | 4637972b1c7fb3eeda71472fd7440235ef64682d /usr/local/www/pkg_edit.php | |
parent | 8346b5c462bf349f8f81a3af4466c03e95a3d01a (diff) | |
download | pfsense-605ae5537da157adfb414cc8837d465c132f4c8c.zip pfsense-605ae5537da157adfb414cc8837d465c132f4c8c.tar.gz |
Fix #3127
By default htmlspecialchars does not consider single quotes, what can be
a problem when value attribute is set using it. Replace value attribute
set to use double quotes on places where it's obviously recieving a
result of htmlspecialchars() call.
Diffstat (limited to 'usr/local/www/pkg_edit.php')
-rwxr-xr-x | usr/local/www/pkg_edit.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index 0f9827c..90f6163 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -519,7 +519,7 @@ if ($pkg['tabs'] <> "") { switch($pkga['type']){ case "input": $size = ($pkga['size'] ? " size='{$pkga['size']}' " : ""); - $input = "<input {$size} id='{$pkga['fieldname']}' name='{$pkga['fieldname']}' class='formfld unknown' value='" . htmlspecialchars($value) ."' />\n"; + $input = "<input {$size} id='{$pkga['fieldname']}' name='{$pkga['fieldname']}' class='formfld unknown' value=\"" . htmlspecialchars($value) ."\" />\n"; $input .= "<br/>" . fixup_string($pkga['description']) . "\n"; if(isset($pkga['advancedfield']) && isset($adv_filed_count)) { $js_array[] = $pkga['fieldname']; @@ -531,7 +531,7 @@ if ($pkg['tabs'] <> "") { case "password": $size = ($pkga['size'] ? " size='{$pkga['size']}' " : ""); - $input = "<input " . $size . " id='" . $pkga['fieldname'] . "' type='password' name='" . $pkga['fieldname'] . "' class='formfld pwd' value='" . htmlspecialchars($value) . "' />\n"; + $input = "<input " . $size . " id='" . $pkga['fieldname'] . "' type='password' name='" . $pkga['fieldname'] . "' class='formfld pwd' value=\"" . htmlspecialchars($value) . "\" />\n"; $input .= "<br/>" . fixup_string($pkga['description']) . "\n"; if(isset($pkga['advancedfield']) && isset($adv_filed_count)) { $js_array[] = $pkga['fieldname']; @@ -921,8 +921,8 @@ if ($pkg['tabs'] <> "") { echo "<p><span class=\"red\"><strong>" . gettext("Note") . ":</strong></span> {$pkg['note']}</p>"; } //if (isset($id) && $a_pkg[$id]) // We'll always have a valid ID in our hands - echo "<input name='id' type='hidden' value='" . htmlspecialchars($id) . "' />"; - echo "<input name='Submit' type='submit' class='formbtn' value='" . htmlspecialchars($savevalue) . "' />\n{$pkg_buttons}\n"; + echo "<input name='id' type='hidden' value=\"" . htmlspecialchars($id) . "\" />"; + echo "<input name='Submit' type='submit' class='formbtn' value=\"" . htmlspecialchars($savevalue) . "\" />\n{$pkg_buttons}\n"; if (!$only_edit){ echo "<input class='formbtn' type='button' value='".gettext("Cancel")."' onclick='history.back()' />"; } @@ -967,13 +967,13 @@ function display_row($trc, $value, $fieldname, $type, $rowhelper, $size) { echo "<td>\n"; switch($type){ case "input": - echo "<input size='{$size}' name='{$fieldname}{$trc}' id='{$fieldname}{$trc}' class='formfld unknown' value='" . htmlspecialchars($value) . "' />\n"; + echo "<input size='{$size}' name='{$fieldname}{$trc}' id='{$fieldname}{$trc}' class='formfld unknown' value=\"" . htmlspecialchars($value) . "\" />\n"; break; case "checkbox": echo "<input size='{$size}' type='checkbox' id='{$fieldname}{$trc}' name='{$fieldname}{$trc}' value='ON' ".($value?"CHECKED":"")." />\n"; break; case "password": - echo "<input size='{$size}' type='password' id='{$fieldname}{$trc}' name='{$fieldname}{$trc}' class='formfld pwd' value='" . htmlspecialchars($value) . "' />\n"; + echo "<input size='{$size}' type='password' id='{$fieldname}{$trc}' name='{$fieldname}{$trc}' class='formfld pwd' value=\"" . htmlspecialchars($value) . "\" />\n"; break; case "textarea": echo "<textarea rows='2' cols='12' id='{$fieldname}{$trc}' class='formfld unknown' name='{$fieldname}{$trc}'>{$value}</textarea>\n"; |