From 190d5d5814add2cc1a85fa8f3db01f54243acb58 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Fri, 12 Nov 2010 11:28:40 -0500
Subject: Fix XSS in notices.

---
 usr/local/www/fbegin.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'usr/local/www/fbegin.inc')

diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc
index 12f8428..b720ca1 100755
--- a/usr/local/www/fbegin.inc
+++ b/usr/local/www/fbegin.inc
@@ -271,9 +271,9 @@ if ($_REQUEST['noticeaction'] == 'acknowledge') {
 								$extraargs="&xml=" . $_POST['id'];
 							$notice_msgs = '<a href="?noticeaction=acknowledge&noticeid=all' . $extraargs . '">Acknowledge All</a> &nbsp;&nbsp;&nbsp;&nbsp;.:.&nbsp;&nbsp;&nbsp;&nbsp; ';
 							if ($value['url']) {
-								$notice_msgs .= $date.' - <a href="'.$url.'?'.$request_string.'&noticeaction=acknowledge&noticeid='.$key.'">['.$value['id'].']</a>';
+								$notice_msgs .= $date.' - <a href="'.$url.'?' . htmlspecialchars($request_string) . '&noticeaction=acknowledge&noticeid='.$key.'">['.$value['id'].']</a>';
 							} else {
-								$notice_msgs .= $date.' - <a href="?'.$request_string.'&noticeaction=acknowledge&noticeid='.$key.'">['.$value['id'].']'.$noticemsg.'</a>';
+								$notice_msgs .= $date.' - <a href="?' . htmlspecialchars($request_string) . '&noticeaction=acknowledge&noticeid='.$key.'">['.$value['id'].']'.$noticemsg.'</a>';
 							}
 							$notice_msgs .= " &nbsp;&nbsp;&nbsp;&nbsp;.:.&nbsp;&nbsp;&nbsp;&nbsp; ";
 						}
-- 
cgit v1.1