diff options
| author | smos <seth.mos@dds.nl> | 2010-05-14 14:00:45 +0200 |
|---|---|---|
| committer | smos <seth.mos@dds.nl> | 2010-05-14 14:02:20 +0200 |
| commit | 08825acc2c6fff6bb5ea090a3a9544cd495ea32c (patch) | |
| tree | 8ecce885bb541c966e053d7564579b540cc3517d /usr/local/www | |
| parent | ee23ccabcd20585532e149688145c6d9a6576111 (diff) | |
| download | pfsense-08825acc2c6fff6bb5ea090a3a9544cd495ea32c.zip pfsense-08825acc2c6fff6bb5ea090a3a9544cd495ea32c.tar.gz | |
Allow the use of ">" in filter rule descriptions. Even whilst stripping the > before the comparison htmlentities
will still trigger on the <. It is safe to assume here that creating any sort of html tag is unlikely. Ticket #465
Diffstat (limited to 'usr/local/www')
| -rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 05ad793..2baaef0 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -247,7 +247,8 @@ if ($_POST) { * cannot think he is slick and perform a XSS attack on the unwilling */ foreach ($_POST as $key => $value) { - $temp = $value; + $temp = str_replace(">", "", $value); + if (isset($_POST['floating']) && $key == "interface") continue; $newpost = htmlentities($temp); |
