Bug #1403. Filter Rules description do not get saved when "(quote) present as character

3 files changed, 19 insertions, 16 deletions

diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php
index e9f4577..135d0e9 100755
--- a/usr/local/www/firewall_nat_1to1_edit.php
+++ b/usr/local/www/firewall_nat_1to1_edit.php
@@ -99,6 +99,15 @@ if ($_POST) {
 	
 	unset($input_errors);
 	$pconfig = $_POST;
+        /*  run through $_POST items encoding HTML entties so that the user
+         *  cannot think he is slick and perform a XSS attack on the unwilling
+         */
+        foreach ($_POST as $key => $value) {
+                $temp = str_replace(">", "", $value);
+                $newpost = htmlentities($temp);
+                if($newpost <> $temp)
+                        $input_errors[] = sprintf(gettext("Invalid characters detected (%s).  Please remove invalid characters and save again."),$temp);
+        }
 
 	/* input validation */
 	$reqdfields = explode(" ", "interface external");
diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php
index 9895312..970720e 100755
--- a/usr/local/www/firewall_nat_edit.php
+++ b/usr/local/www/firewall_nat_edit.php
@@ -101,6 +101,7 @@ if (isset($_GET['dup']))
 /*  run through $_POST items encoding HTML entties so that the user
  *  cannot think he is slick and perform a XSS attack on the unwilling
  */
+unset($input_errors);
 foreach ($_POST as $key => $value) {
 	$temp = $value;
 	$newpost = htmlentities($temp);
@@ -173,7 +174,6 @@ if ($_POST) {
 		$_POST['dsttype'] = "single";
 	}
 
-	unset($input_errors);
 	$pconfig = $_POST;
 
 	/* input validation */
@@ -290,9 +290,6 @@ if ($_POST) {
 		}
 	}
 
-	// Allow extending of the nat edit page and include custom input validation 
-	pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation");
-	
 	if (!$input_errors) {
 		$natent = array();
 
@@ -425,9 +422,6 @@ if ($_POST) {
 
 		mark_subsystem_dirty('natconf');
 
-		// Allow extending of the nat edit page and include custom input validation 
-		pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config");
-
 		write_config();
 
 		header("Location: firewall_nat.php");
@@ -446,11 +440,6 @@ include("fbegin.inc"); ?>
 <?php if ($input_errors) print_input_errors($input_errors); ?>
             <form action="firewall_nat_edit.php" method="post" name="iform" id="iform">
               <table width="100%" border="0" cellpadding="6" cellspacing="0">
-<?php
-		// Allow extending of the nat edit page and include custom input validation 
-		pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphpearly");
-?>
-
 				<tr>
 					<td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Redirect entry"); ?></td>
 				</tr>
@@ -828,10 +817,6 @@ include("fbegin.inc"); ?>
 					</select>
 				  </td>
                 </tr><?php endif; ?>
-<?php
-		// Allow extending of the nat edit page and include custom input validation 
-		pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphplate");
-?>
 				<tr>
                   <td width="22%" valign="top">&nbsp;</td>
                   <td width="78%">&nbsp;</td>
diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php
index 4d960f2..5057ea8 100755
--- a/usr/local/www/firewall_nat_out_edit.php
+++ b/usr/local/www/firewall_nat_out_edit.php
@@ -115,6 +115,15 @@ if ($_POST) {
 
 	unset($input_errors);
 	$pconfig = $_POST;
+        /*  run through $_POST items encoding HTML entties so that the user
+         *  cannot think he is slick and perform a XSS attack on the unwilling
+         */
+        foreach ($_POST as $key => $value) {
+                $temp = str_replace(">", "", $value);
+                $newpost = htmlentities($temp);
+                if($newpost <> $temp)
+                        $input_errors[] = sprintf(gettext("Invalid characters detected (%s).  Please remove invalid characters and save again."),$temp);
+        }
 
 	/* input validation */
 	$reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet");