From 060d4c5ec0ab239a1535c014f48651996bb59f4b Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Fri, 12 Nov 2010 12:02:21 -0500
Subject: More notice XSS fixes.

---
 usr/local/www/fbegin.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'usr/local/www/fbegin.inc')

diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc
index b720ca1..0f8a795 100755
--- a/usr/local/www/fbegin.inc
+++ b/usr/local/www/fbegin.inc
@@ -262,13 +262,13 @@ if ($_REQUEST['noticeaction'] == 'acknowledge') {
 							$noticemsg = str_replace("<br>", "", $noticemsg);
 							$extra_args = "";
 							if($_GET['xml']) 
-								$extraargs="&xml=" . $_GET['xml'];
+								$extraargs="&xml=" .  htmlspecialchars($_GET['xml']);
 							if($_POST['xml']) 
-								$extraargs="&xml=" . $_POST['xml'];
+								$extraargs="&xml=" .  htmlspecialchars($_POST['xml']);
 							if($_GET['id']) 
-								$extraargs="&xml=" . $_GET['id'];
+								$extraargs="&xml=" .  htmlspecialchars($_GET['id']);
 							if($_POST['id'])
-								$extraargs="&xml=" . $_POST['id'];
+								$extraargs="&xml=" .  htmlspecialchars($_POST['id']);
 							$notice_msgs = '<a href="?noticeaction=acknowledge&noticeid=all' . $extraargs . '">Acknowledge All</a> &nbsp;&nbsp;&nbsp;&nbsp;.:.&nbsp;&nbsp;&nbsp;&nbsp; ';
 							if ($value['url']) {
 								$notice_msgs .= $date.' - <a href="'.$url.'?' . htmlspecialchars($request_string) . '&noticeaction=acknowledge&noticeid='.$key.'">['.$value['id'].']</a>';
-- 
cgit v1.1