diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2014-11-18 11:49:13 -0200 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2014-11-18 11:49:13 -0200 |
| commit | 4b40d03612e47fc07433c1d722802f01f50e991f (patch) | |
| tree | 08cfdd764de3093f5a8ae2e44fa57bc7445fa53e /usr/local/www/widgets/widgets | |
| parent | e91a43d6febae9826a9ef7261ba8cf234f3eeae9 (diff) | |
| download | pfsense-4b40d03612e47fc07433c1d722802f01f50e991f.zip pfsense-4b40d03612e47fc07433c1d722802f01f50e991f.tar.gz | |
Define a local boolean var for showact to avoid security issues, also pass order parameter trough htmlspecialchars()
Diffstat (limited to 'usr/local/www/widgets/widgets')
| -rw-r--r-- | usr/local/www/widgets/widgets/captive_portal_status.widget.php | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/usr/local/www/widgets/widgets/captive_portal_status.widget.php b/usr/local/www/widgets/widgets/captive_portal_status.widget.php index 9fa2709..478ecfd 100644 --- a/usr/local/www/widgets/widgets/captive_portal_status.widget.php +++ b/usr/local/www/widgets/widgets/captive_portal_status.widget.php @@ -72,11 +72,13 @@ function clientcmp($a, $b) { $cpdb_all = array(); +$showact = isset($_GET['showact']) ? 1 : 0; + foreach ($a_cp as $cpzone => $cp) { $cpdb = captiveportal_read_db(); foreach ($cpdb as $cpent) { $cpent[10] = $cpzone; - if ($_GET['showact']) + if ($showact == 1) $cpent[11] = captiveportal_get_last_activity($cpent[2], $cpentry[3]); $cpdb_all[] = $cpent; } @@ -100,14 +102,14 @@ if ($_GET['order']) { ?> <table class="sortable" id="sortabletable" width="100%" border="0" cellpadding="0" cellspacing="0" summary="captive portal status"> <tr> - <td class="listhdrr"><a href="?order=ip&showact=<?=$_GET['showact'];?>">IP address</a></td> - <td class="listhdrr"><a href="?order=mac&showact=<?=$_GET['showact'];?>">MAC address</a></td> - <td class="listhdrr"><a href="?order=user&showact=<?=$_GET['showact'];?>"><?=gettext("Username");?></a></td> + <td class="listhdrr"><a href="?order=ip&showact=<?=$showact;?>">IP address</a></td> + <td class="listhdrr"><a href="?order=mac&showact=<?=$showact;?>">MAC address</a></td> + <td class="listhdrr"><a href="?order=user&showact=<?=$showact;?>"><?=gettext("Username");?></a></td> <?php - if ($_GET['showact']): + if ($showact == 1): ?> - <td class="listhdrr"><a href="?order=start&showact=<?=$_GET['showact'];?>"><?=gettext("Session start");?></a></td> - <td class="listhdrr"><a href="?order=start&showact=<?=$_GET['showact'];?>"><?=gettext("Last activity");?></a></td> + <td class="listhdrr"><a href="?order=start&showact=<?=$showact;?>"><?=gettext("Session start");?></a></td> + <td class="listhdrr"><a href="?order=start&showact=<?=$showact;?>"><?=gettext("Last activity");?></a></td> <?php endif; ?> @@ -120,7 +122,7 @@ foreach ($cpdb_all as $cpent): <td class="listr"><?=$cpent[3];?> </td> <td class="listr"><?=$cpent[4];?> </td> <?php - if ($_GET['showact']): + if ($showact == 1): ?> <td class="listr"><?=htmlspecialchars(date("m/d/Y H:i:s", $cpent[0]));?></td> <td class="listr"><?php if ($cpent[11] && ($cpent[11] > 0)) echo htmlspecialchars(date("m/d/Y H:i:s", $cpent[11]));?></td> @@ -128,7 +130,7 @@ foreach ($cpdb_all as $cpent): endif; ?> <td valign="middle" class="list nowrap"> - <a href="?order=<?=$_GET['order'];?>&showact=<?=$_GET['showact'];?>&act=del&zone=<?=$cpent[10];?>&id=<?=$cpent[5];?>" onclick="return confirm('Do you really want to disconnect this client?')"> + <a href="?order=<?=htmlspecialchars($_GET['order']);?>&showact=<?=$showact;?>&act=del&zone=<?=$cpent[10];?>&id=<?=$cpent[5];?>" onclick="return confirm('Do you really want to disconnect this client?')"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="x" /> </a> </td> |
