diff options
author | Renato Botelho <garga@FreeBSD.org> | 2013-09-06 08:08:03 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2013-09-06 08:10:37 -0300 |
commit | da95bdcd9202e0f240099af3bfdf284b8f404d9f (patch) | |
tree | 5fed6d9ea693d54ecc05dabdde4757490e5ef4f4 /usr | |
parent | 9e6043ccc904141b979c60df9390185a8aa080c7 (diff) | |
download | pfsense-da95bdcd9202e0f240099af3bfdf284b8f404d9f.zip pfsense-da95bdcd9202e0f240099af3bfdf284b8f404d9f.tar.gz |
Fix #3127
By default htmlspecialchars does not consider single quotes, what can be
a problem when value attribute is set using it. Replace value attribute
set to use double quotes on places where it's obviously recieving a
result of htmlspecialchars() call.
Diffstat (limited to 'usr')
-rwxr-xr-x | usr/local/www/diag_authentication.php | 4 | ||||
-rwxr-xr-x | usr/local/www/pkg_edit.php | 12 | ||||
-rwxr-xr-x | usr/local/www/system_gateways_edit.php | 4 | ||||
-rwxr-xr-x | usr/local/www/wizard.php | 10 |
4 files changed, 15 insertions, 15 deletions
diff --git a/usr/local/www/diag_authentication.php b/usr/local/www/diag_authentication.php index 5b33d88..98429d3 100755 --- a/usr/local/www/diag_authentication.php +++ b/usr/local/www/diag_authentication.php @@ -106,13 +106,13 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Username"); ?></td> <td width="78%" class="vtable"> - <input class="formfld unknown" size='20' id='username' name='username' value='<?=htmlspecialchars($pconfig['username']);?>' /> + <input class="formfld unknown" size='20' id='username' name='username' value="<?=htmlspecialchars($pconfig['username']);?>" /> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Password"); ?></td> <td width="78%" class="vtable"> - <input class="formfld pwd" type='password' size='20' id='password' name='password' value='<?=htmlspecialchars($pconfig['password']);?>' /> + <input class="formfld pwd" type='password' size='20' id='password' name='password' value="<?=htmlspecialchars($pconfig['password']);?>" /> </td> </tr> <tr> diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index 0f9827c..90f6163 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -519,7 +519,7 @@ if ($pkg['tabs'] <> "") { switch($pkga['type']){ case "input": $size = ($pkga['size'] ? " size='{$pkga['size']}' " : ""); - $input = "<input {$size} id='{$pkga['fieldname']}' name='{$pkga['fieldname']}' class='formfld unknown' value='" . htmlspecialchars($value) ."' />\n"; + $input = "<input {$size} id='{$pkga['fieldname']}' name='{$pkga['fieldname']}' class='formfld unknown' value=\"" . htmlspecialchars($value) ."\" />\n"; $input .= "<br/>" . fixup_string($pkga['description']) . "\n"; if(isset($pkga['advancedfield']) && isset($adv_filed_count)) { $js_array[] = $pkga['fieldname']; @@ -531,7 +531,7 @@ if ($pkg['tabs'] <> "") { case "password": $size = ($pkga['size'] ? " size='{$pkga['size']}' " : ""); - $input = "<input " . $size . " id='" . $pkga['fieldname'] . "' type='password' name='" . $pkga['fieldname'] . "' class='formfld pwd' value='" . htmlspecialchars($value) . "' />\n"; + $input = "<input " . $size . " id='" . $pkga['fieldname'] . "' type='password' name='" . $pkga['fieldname'] . "' class='formfld pwd' value=\"" . htmlspecialchars($value) . "\" />\n"; $input .= "<br/>" . fixup_string($pkga['description']) . "\n"; if(isset($pkga['advancedfield']) && isset($adv_filed_count)) { $js_array[] = $pkga['fieldname']; @@ -921,8 +921,8 @@ if ($pkg['tabs'] <> "") { echo "<p><span class=\"red\"><strong>" . gettext("Note") . ":</strong></span> {$pkg['note']}</p>"; } //if (isset($id) && $a_pkg[$id]) // We'll always have a valid ID in our hands - echo "<input name='id' type='hidden' value='" . htmlspecialchars($id) . "' />"; - echo "<input name='Submit' type='submit' class='formbtn' value='" . htmlspecialchars($savevalue) . "' />\n{$pkg_buttons}\n"; + echo "<input name='id' type='hidden' value=\"" . htmlspecialchars($id) . "\" />"; + echo "<input name='Submit' type='submit' class='formbtn' value=\"" . htmlspecialchars($savevalue) . "\" />\n{$pkg_buttons}\n"; if (!$only_edit){ echo "<input class='formbtn' type='button' value='".gettext("Cancel")."' onclick='history.back()' />"; } @@ -967,13 +967,13 @@ function display_row($trc, $value, $fieldname, $type, $rowhelper, $size) { echo "<td>\n"; switch($type){ case "input": - echo "<input size='{$size}' name='{$fieldname}{$trc}' id='{$fieldname}{$trc}' class='formfld unknown' value='" . htmlspecialchars($value) . "' />\n"; + echo "<input size='{$size}' name='{$fieldname}{$trc}' id='{$fieldname}{$trc}' class='formfld unknown' value=\"" . htmlspecialchars($value) . "\" />\n"; break; case "checkbox": echo "<input size='{$size}' type='checkbox' id='{$fieldname}{$trc}' name='{$fieldname}{$trc}' value='ON' ".($value?"CHECKED":"")." />\n"; break; case "password": - echo "<input size='{$size}' type='password' id='{$fieldname}{$trc}' name='{$fieldname}{$trc}' class='formfld pwd' value='" . htmlspecialchars($value) . "' />\n"; + echo "<input size='{$size}' type='password' id='{$fieldname}{$trc}' name='{$fieldname}{$trc}' class='formfld pwd' value=\"" . htmlspecialchars($value) . "\" />\n"; break; case "textarea": echo "<textarea rows='2' cols='12' id='{$fieldname}{$trc}' class='formfld unknown' name='{$fieldname}{$trc}'>{$value}</textarea>\n"; diff --git a/usr/local/www/system_gateways_edit.php b/usr/local/www/system_gateways_edit.php index 7abd1f4..a1a0df5 100755 --- a/usr/local/www/system_gateways_edit.php +++ b/usr/local/www/system_gateways_edit.php @@ -483,9 +483,9 @@ function monitor_change() { /* If this is a system gateway we need this var */ if(($pconfig['attribute'] == "system") || is_numeric($pconfig['attribute'])) { - echo "<input type='hidden' name='attribute' id='attribute' value='" . htmlspecialchars($pconfig['attribute']) . "' />\n"; + echo "<input type='hidden' name='attribute' id='attribute' value=\"" . htmlspecialchars($pconfig['attribute']) . "\" />\n"; } - echo "<input type='hidden' name='friendlyiface' id='friendlyiface' value='" . htmlspecialchars($pconfig['friendlyiface']) . "' />\n"; + echo "<input type='hidden' name='friendlyiface' id='friendlyiface' value=\"" . htmlspecialchars($pconfig['friendlyiface']) . "\" />\n"; ?> <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="system gateways edit"> <tr> diff --git a/usr/local/www/wizard.php b/usr/local/www/wizard.php index bcfe95b..f56d994 100755 --- a/usr/local/www/wizard.php +++ b/usr/local/www/wizard.php @@ -389,7 +389,7 @@ function showchange() { if(!$field['dontcombinecells']) echo "<td class=\"vtable\">\n"; - echo "<input class='formfld unknown' id='" . $name . "' name='" . $name . "' value='" . htmlspecialchars($value) . "'"; + echo "<input class='formfld unknown' id='" . $name . "' name='" . $name . "' value=\"" . htmlspecialchars($value) . "\""; if($field['size']) echo " size='" . $field['size'] . "' "; if($field['validate']) @@ -420,7 +420,7 @@ function showchange() { echo "<td class=\"vtable\">\n"; $inputaliases[] = $name; - echo "<input class='formfldalias' autocomplete='off' id='" . $name . "' name='" . $name . "' value='" . htmlspecialchars($value) . "'"; + echo "<input class='formfldalias' autocomplete='off' id='" . $name . "' name='" . $name . "' value=\"" . htmlspecialchars($value) . "\""; if($field['size']) echo " size='" . $field['size'] . "' "; if($field['validate']) @@ -493,7 +493,7 @@ function showchange() { } if(!$field['dontcombinecells']) echo "<td class=\"vtable\">"; - echo "<input class='formfld pwd' id='" . $name . "' name='" . $name . "' value='" . htmlspecialchars($value) . "' type='password' "; + echo "<input class='formfld pwd' id='" . $name . "' name='" . $name . "' value=\"" . htmlspecialchars($value) . "\" type='password' "; if($field['size']) echo " size='" . $field['size'] . "' "; echo " />\n"; @@ -649,7 +649,7 @@ function showchange() { case "submit": echo "<td> <br/></td></tr>"; echo "<tr><td colspan=\"2\" align=\"center\">"; - echo "<input type='submit' name='" . $name . "' value='" . htmlspecialchars($field['name']) . "' />\n"; + echo "<input type='submit' name='" . $name . "' value=\"" . htmlspecialchars($field['name']) . "\" />\n"; if($field['description'] <> "") { echo "<br /> " . $field['description']; @@ -713,7 +713,7 @@ function showchange() { continue; $SELECTED = ""; if ($value == $tz) $SELECTED = " selected=\"selected\""; - echo "<option value='" . htmlspecialchars($tz) . "' {$SELECTED}>"; + echo "<option value=\"" . htmlspecialchars($tz) . "\" {$SELECTED}>"; echo htmlspecialchars($tz); echo "</option>\n"; } |