From ee8981553bd187ea9eb0d2af88fb48c855a638dc Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 31 Oct 2012 14:02:22 -0400
Subject: Encode the if parameter before using it in redirects, too.

---
 usr/local/www/firewall_rules.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'usr')

diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php
index 599d6a3..876abc4 100755
--- a/usr/local/www/firewall_rules.php
+++ b/usr/local/www/firewall_rules.php
@@ -210,7 +210,7 @@ if ($_GET['act'] == "del") {
 		unset($a_filter[$_GET['id']]);
 		write_config();
 		mark_subsystem_dirty('filter');
-		header("Location: firewall_rules.php?if={$if}");
+		header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
 		exit;
 	}
 }
@@ -228,7 +228,7 @@ if (isset($_POST['del_x'])) {
 		}
 		write_config();
 		mark_subsystem_dirty('filter');
-		header("Location: firewall_rules.php?if={$if}");
+		header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
 		exit;
 	}
 } else if ($_GET['act'] == "toggle") {
@@ -239,7 +239,7 @@ if (isset($_POST['del_x'])) {
                         $a_filter[$_GET['id']]['disabled'] = true;
 		write_config();
 		mark_subsystem_dirty('filter');
-		header("Location: firewall_rules.php?if={$if}");
+		header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
 		exit;
 	}
 } else {
@@ -283,7 +283,7 @@ if (isset($_POST['del_x'])) {
 		$a_filter = $a_filter_new;
 		write_config();
 		mark_subsystem_dirty('filter');
-		header("Location: firewall_rules.php?if={$if}");
+		header("Location: firewall_rules.php?if=" . htmlspecialchars($if));
 		exit;
 	}
 }
-- 
cgit v1.1