diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-19 11:29:18 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-19 11:29:18 -0300 |
commit | 8aca755afeb815f99ab4ca5ddda769124f965d4a (patch) | |
tree | bc861391fa382c56dc5f73981d61cfaccf766656 /usr/local/www | |
parent | cedd070513d629a675559398b2a7f5cc8d86aa09 (diff) | |
download | pfsense-8aca755afeb815f99ab4ca5ddda769124f965d4a.zip pfsense-8aca755afeb815f99ab4ca5ddda769124f965d4a.tar.gz |
Make sure single quotes are encoded and avoid javascript injection
Diffstat (limited to 'usr/local/www')
-rwxr-xr-x | usr/local/www/exec.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/local/www/exec.php b/usr/local/www/exec.php index 0c57570..27fc237 100755 --- a/usr/local/www/exec.php +++ b/usr/local/www/exec.php @@ -107,8 +107,8 @@ if (isBlank( $_POST['txtRecallBuffer'] )) { puts( " var arrRecallBuffer = new Array(" ); $arrBuffer = explode( "&", $_POST['txtRecallBuffer'] ); for ($i=0; $i < (count( $arrBuffer ) - 1); $i++) - puts( " '" . htmlspecialchars($arrBuffer[$i]) . "'," ); - puts( " '" . htmlspecialchars($arrBuffer[count( $arrBuffer ) - 1]) . "'" ); + puts( " '" . htmlspecialchars($arrBuffer[$i], ENT_QUOTES | ENT_HTML401) . "'," ); + puts( " '" . htmlspecialchars($arrBuffer[count( $arrBuffer ) - 1], ENT_QUOTES | ENT_HTML401) . "'" ); puts( " );" ); } |