diff options
-rwxr-xr-x | usr/local/www/firewall_nat_1to1_edit.php | 9 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 17 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_out_edit.php | 9 |
3 files changed, 19 insertions, 16 deletions
diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index e9f4577..135d0e9 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -99,6 +99,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface external"); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 9895312..970720e 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -101,6 +101,7 @@ if (isset($_GET['dup'])) /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ +unset($input_errors); foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); @@ -173,7 +174,6 @@ if ($_POST) { $_POST['dsttype'] = "single"; } - unset($input_errors); $pconfig = $_POST; /* input validation */ @@ -290,9 +290,6 @@ if ($_POST) { } } - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); - if (!$input_errors) { $natent = array(); @@ -425,9 +422,6 @@ if ($_POST) { mark_subsystem_dirty('natconf'); - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); - write_config(); header("Location: firewall_nat.php"); @@ -446,11 +440,6 @@ include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="firewall_nat_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphpearly"); -?> - <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Redirect entry"); ?></td> </tr> @@ -828,10 +817,6 @@ include("fbegin.inc"); ?> </select> </td> </tr><?php endif; ?> -<?php - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphplate"); -?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> </td> diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2..5057ea8 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -115,6 +115,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); |