From 21eff66f3199bb0c50c9ea5a9a473043dd4991a1 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Tue, 4 Dec 2007 00:14:20 +0000
Subject: Use htmlentities() to detect html injections.

---
 usr/local/www/firewall_nat_edit.php   | 7 ++++---
 usr/local/www/firewall_rules_edit.php | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

(limited to 'usr/local')

diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php
index a8f0031..6b5ab58 100755
--- a/usr/local/www/firewall_nat_edit.php
+++ b/usr/local/www/firewall_nat_edit.php
@@ -80,9 +80,10 @@ if (isset($_GET['dup']))
 /*  run through $_POST items encoding HTML entties so that the user
  *  cannot think he is slick and perform a XSS attack on the unwilling 
  */
-foreach($_POST as $post) {
-	$newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto");
-	if($newpost <> $post) 
+foreach ($_POST as $key => $value) {
+	$temp = $value;
+	$newpost = htmlentities($temp);
+	if($newpost <> $temp) 
 		$input_errors[] = "Invalid characters detected.  Please remove invalid characters and save again.";		
 }
 
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index 25e36a8..b2616d0 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -192,9 +192,10 @@ if ($_POST) {
 	/*  run through $_POST items encoding HTML entties so that the user
 	 *  cannot think he is slick and perform a XSS attack on the unwilling 
 	 */
-	foreach($_POST as $post) {
-		$newpost = mb_convert_encoding($post,"HTML-ENTITIES","auto");
-		if($newpost <> $post) 
+	foreach ($_POST as $key => $value) {
+		$temp = $value;
+		$newpost = htmlentities($temp);
+		if($newpost <> $temp) 
 			$input_errors[] = "Invalid characters detected.  Please remove invalid characters and save again.";		
 	}
 
-- 
cgit v1.1