diff options
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 9 | ||||
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 9 |
2 files changed, 18 insertions, 0 deletions
diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index c840029..6e111d8 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -77,6 +77,15 @@ if($id) { if (isset($_GET['dup'])) unset($id); +/* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ +foreach($_POST as $post) { + $newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto"); + if($newpost <> $post) + $input_errors[] = "Invalid characters detected. Please remove invalid characters and save again."; +} + if ($_POST) { if ($_POST['beginport_cust'] && !$_POST['beginport']) diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 15b0eda..cd427d4 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -188,6 +188,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach($_POST as $post) { + $newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto"); + if($newpost <> $post) + $input_errors[] = "Invalid characters detected. Please remove invalid characters and save again."; + } + /* input validation */ $reqdfields = explode(" ", "type interface proto src dst"); $reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination"); |