diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-03-12 11:35:57 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-03-12 11:42:49 -0300 |
commit | e41ec5848f21015068255c1d61d01edf442e8e7e (patch) | |
tree | 45c3214c1e3d638dbacb217cd3de95fb4aa6e770 /usr/local/www/system_authservers.php | |
parent | 49f3f28fea92114b09d3b2d8103398c4adcb3635 (diff) | |
download | pfsense-e41ec5848f21015068255c1d61d01edf442e8e7e.zip pfsense-e41ec5848f21015068255c1d61d01edf442e8e7e.tar.gz |
Improve checks for params 'id', 'dup' and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars() before print
Diffstat (limited to 'usr/local/www/system_authservers.php')
-rw-r--r-- | usr/local/www/system_authservers.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index cbf5ebd..6b5c502 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -44,8 +44,9 @@ require_once("auth.inc"); $pgtitle = array(gettext("System"), gettext("Authentication Servers")); $shortcut_section = "authentication"; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (is_numericint($_GET['id'])) + $id = $_GET['id']; +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; if (!is_array($config['system']['authserver'])) @@ -788,7 +789,7 @@ function select_clicked() { <td width="78%"> <input id="submit" name="save" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <?php if (isset($id) && $a_server[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>" /> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif;?> </td> </tr> |