diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2008-02-12 04:40:35 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2008-02-12 04:40:35 +0000 |
| commit | d8c1a6c53c524714ad61dbcced0040108312a260 (patch) | |
| tree | 6db2c41cf27483aa10c475cc19f0ff219a679296 /usr/local/www/wizard.php | |
| parent | 017648626c9e36526edd3a6212650f431ac16841 (diff) | |
| download | pfsense-d8c1a6c53c524714ad61dbcced0040108312a260.zip pfsense-d8c1a6c53c524714ad61dbcced0040108312a260.tar.gz | |
Make scripts XSS input safe.
Pointed-out: by hoopercharles@gmail.com
Diffstat (limited to 'usr/local/www/wizard.php')
| -rwxr-xr-x | usr/local/www/wizard.php | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/usr/local/www/wizard.php b/usr/local/www/wizard.php index 2290099..64a5229 100755 --- a/usr/local/www/wizard.php +++ b/usr/local/www/wizard.php @@ -34,14 +34,13 @@ function gentitle_pkg($pgname) { return $config['system']['hostname'] . "." . $config['system']['domain'] . " - " . $pgname; } -$stepid = $_GET['stepid']; +$stepid = htmlspecialchars($_GET['stepid']); if (isset($_POST['stepid'])) - $stepid = $_POST['stepid']; + $stepid = htmlspecialchars($_POST['stepid']); if (!$stepid) $stepid = "0"; -// XXX: Make this input safe. -$xml = $_GET['xml']; -if($_POST['xml']) $xml = $_POST['xml']; +$xml = htmlspecialchars($_GET['xml']); +if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']); if($xml == "") { $xml = "not_defined"; @@ -232,9 +231,9 @@ function enablechange() { <tr><td colspan='2'> <?php if ($_GET['message'] != "") - print_info_box($_GET['message']); + print_info_box(htmlspecialchars($_GET['message'])); if ($_POST['message'] != "") - print_info_box($_POST['message']); + print_info_box(htmlspecialchars($_POST['message'])); ?></td></tr> <tr><td colspan='2'><center><b><?= fixup_string($description) ?></b></center></td></tr><tr><td> </td></tr> <?php |
