From d8c1a6c53c524714ad61dbcced0040108312a260 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Tue, 12 Feb 2008 04:40:35 +0000
Subject: Make scripts XSS input safe.

Pointed-out: by hoopercharles@gmail.com
---
 usr/local/www/wizard.php | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'usr/local/www/wizard.php')

diff --git a/usr/local/www/wizard.php b/usr/local/www/wizard.php
index 2290099..64a5229 100755
--- a/usr/local/www/wizard.php
+++ b/usr/local/www/wizard.php
@@ -34,14 +34,13 @@ function gentitle_pkg($pgname) {
 	return $config['system']['hostname'] . "." . $config['system']['domain'] . " - " . $pgname;
 }
 
-$stepid = $_GET['stepid'];
+$stepid = htmlspecialchars($_GET['stepid']);
 if (isset($_POST['stepid']))
-    $stepid = $_POST['stepid'];
+    $stepid = htmlspecialchars($_POST['stepid']);
 if (!$stepid) $stepid = "0";
 
-// XXX: Make this input safe.
-$xml = $_GET['xml'];
-if($_POST['xml']) $xml = $_POST['xml'];
+$xml = htmlspecialchars($_GET['xml']);
+if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']);
 
 if($xml == "") {
 	$xml = "not_defined";
@@ -232,9 +231,9 @@ function enablechange() {
     <tr><td colspan='2'>
 <?php
 	if ($_GET['message'] != "")
-		print_info_box($_GET['message']);
+		print_info_box(htmlspecialchars($_GET['message']));
 	if ($_POST['message'] != "")
-		print_info_box($_POST['message']);
+		print_info_box(htmlspecialchars($_POST['message']));
 ?></td></tr>
     <tr><td colspan='2'><center><b><?= fixup_string($description) ?></b></center></td></tr><tr><td>&nbsp;</td></tr>
     <?php
-- 
cgit v1.1