From bef1056048aa2e0839fd5839e83da154f06c8c2c Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Thu, 19 Jun 2014 11:29:18 -0300
Subject: Make sure single quotes are encoded and avoid javascript injection

---
 usr/local/www/exec.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'usr/local')

diff --git a/usr/local/www/exec.php b/usr/local/www/exec.php
index b95b72b..1963508 100644
--- a/usr/local/www/exec.php
+++ b/usr/local/www/exec.php
@@ -108,8 +108,8 @@ if (isBlank( $_POST['txtRecallBuffer'] )) {
 	puts( "   var arrRecallBuffer = new Array(" );
 	$arrBuffer = explode( "&", $_POST['txtRecallBuffer'] );
 	for ($i=0; $i < (count( $arrBuffer ) - 1); $i++)
-		puts( "      '" . htmlspecialchars($arrBuffer[$i]) . "'," );
-	puts( "      '" . htmlspecialchars($arrBuffer[count( $arrBuffer ) - 1]) . "'" );
+		puts( "      '" . htmlspecialchars($arrBuffer[$i], ENT_QUOTES | ENT_HTML401) . "'," );
+	puts( "      '" . htmlspecialchars($arrBuffer[count( $arrBuffer ) - 1], ENT_QUOTES | ENT_HTML401) . "'" );
 	puts( "   );" );
 }
 
-- 
cgit v1.1