From ef2a753c7566a17da87c93de0d933259f89c87d8 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Mon, 3 Dec 2007 20:33:46 +0000
Subject: * Run through all posted values and encode them to a temporary
 variable.  IF the contents differ then the operator is doing something bad. 
 Simply reject the item with invalid character error and let them fix their
 XSS exploit attempt, etc.

---
 usr/local/www/firewall_nat_edit.php | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'usr/local/www/firewall_nat_edit.php')

diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php
index c840029..6e111d8 100755
--- a/usr/local/www/firewall_nat_edit.php
+++ b/usr/local/www/firewall_nat_edit.php
@@ -77,6 +77,15 @@ if($id) {
 if (isset($_GET['dup']))
 	unset($id);
 
+/*  run through $_POST items encoding HTML entties so that the user
+ *  cannot think he is slick and perform a XSS attack on the unwilling 
+ */
+foreach($_POST as $post) {
+	$newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto");
+	if($newpost <> $post) 
+		$input_errors[] = "Invalid characters detected.  Please remove invalid characters and save again.";		
+}
+
 if ($_POST) {
 
 	if ($_POST['beginport_cust'] && !$_POST['beginport'])
-- 
cgit v1.1