From d8c1a6c53c524714ad61dbcced0040108312a260 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 12 Feb 2008 04:40:35 +0000 Subject: Make scripts XSS input safe. Pointed-out: by hoopercharles@gmail.com --- usr/local/www/pkg_edit.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'usr/local/www/pkg_edit.php') diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index f7a5bc7..5a5ffdf 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -39,9 +39,8 @@ function gentitle_pkg($pgname) { return $pfSense_config['system']['hostname'] . "." . $pfSense_config['system']['domain'] . " - " . $pgname; } -// XXX: Make this input safe. -$xml = $_GET['xml']; -if($_POST['xml']) $xml = $_POST['xml']; +$xml = htmlspecialchars($_GET['xml']); +if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']); if($xml == "") { print_info_box_np(gettext("ERROR: No package defined.")); @@ -68,7 +67,7 @@ $pgtitle = $title; $id = $_GET['id']; if (isset($_POST['id'])) - $id = $_POST['id']; + $id = htmlspecialchars($_POST['id']); if($pkg['custom_php_global_functions'] <> "") eval($pkg['custom_php_global_functions']); @@ -80,7 +79,7 @@ if(!is_array($config['installedpackages'][xml_safe_fieldname($pkg['name'])]['con $a_pkg = &$config['installedpackages'][xml_safe_fieldname($pkg['name'])]['config']; if($_GET['savemsg'] <> "") - $savemsg = $_GET['savemsg']; + $savemsg = htmlspecialchars($_GET['savemsg']); if($pkg['custom_php_command_before_form'] <> "") eval($pkg['custom_php_command_before_form']); -- cgit v1.1