diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2013-09-06 08:08:03 -0300 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2013-09-06 08:08:03 -0300 |
| commit | 605ae5537da157adfb414cc8837d465c132f4c8c (patch) | |
| tree | 4637972b1c7fb3eeda71472fd7440235ef64682d /usr/local/www/wizard.php | |
| parent | 8346b5c462bf349f8f81a3af4466c03e95a3d01a (diff) | |
| download | pfsense-605ae5537da157adfb414cc8837d465c132f4c8c.zip pfsense-605ae5537da157adfb414cc8837d465c132f4c8c.tar.gz | |
Fix #3127
By default htmlspecialchars does not consider single quotes, what can be
a problem when value attribute is set using it. Replace value attribute
set to use double quotes on places where it's obviously recieving a
result of htmlspecialchars() call.
Diffstat (limited to 'usr/local/www/wizard.php')
| -rwxr-xr-x | usr/local/www/wizard.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/usr/local/www/wizard.php b/usr/local/www/wizard.php index bcfe95b..f56d994 100755 --- a/usr/local/www/wizard.php +++ b/usr/local/www/wizard.php @@ -389,7 +389,7 @@ function showchange() { if(!$field['dontcombinecells']) echo "<td class=\"vtable\">\n"; - echo "<input class='formfld unknown' id='" . $name . "' name='" . $name . "' value='" . htmlspecialchars($value) . "'"; + echo "<input class='formfld unknown' id='" . $name . "' name='" . $name . "' value=\"" . htmlspecialchars($value) . "\""; if($field['size']) echo " size='" . $field['size'] . "' "; if($field['validate']) @@ -420,7 +420,7 @@ function showchange() { echo "<td class=\"vtable\">\n"; $inputaliases[] = $name; - echo "<input class='formfldalias' autocomplete='off' id='" . $name . "' name='" . $name . "' value='" . htmlspecialchars($value) . "'"; + echo "<input class='formfldalias' autocomplete='off' id='" . $name . "' name='" . $name . "' value=\"" . htmlspecialchars($value) . "\""; if($field['size']) echo " size='" . $field['size'] . "' "; if($field['validate']) @@ -493,7 +493,7 @@ function showchange() { } if(!$field['dontcombinecells']) echo "<td class=\"vtable\">"; - echo "<input class='formfld pwd' id='" . $name . "' name='" . $name . "' value='" . htmlspecialchars($value) . "' type='password' "; + echo "<input class='formfld pwd' id='" . $name . "' name='" . $name . "' value=\"" . htmlspecialchars($value) . "\" type='password' "; if($field['size']) echo " size='" . $field['size'] . "' "; echo " />\n"; @@ -649,7 +649,7 @@ function showchange() { case "submit": echo "<td> <br/></td></tr>"; echo "<tr><td colspan=\"2\" align=\"center\">"; - echo "<input type='submit' name='" . $name . "' value='" . htmlspecialchars($field['name']) . "' />\n"; + echo "<input type='submit' name='" . $name . "' value=\"" . htmlspecialchars($field['name']) . "\" />\n"; if($field['description'] <> "") { echo "<br /> " . $field['description']; @@ -713,7 +713,7 @@ function showchange() { continue; $SELECTED = ""; if ($value == $tz) $SELECTED = " selected=\"selected\""; - echo "<option value='" . htmlspecialchars($tz) . "' {$SELECTED}>"; + echo "<option value=\"" . htmlspecialchars($tz) . "\" {$SELECTED}>"; echo htmlspecialchars($tz); echo "</option>\n"; } |
