bisschen XSS-Schutz (88386ee) - webinterface.git

bisschen XSS-Schutz

bernd commited on 2007-06-16 14:17:05
Zeige 2 geänderte Dateien mit 9 Einfügungen und 3 Löschungen.

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@501 87cf0b9e-d624-0410-a070-f6ee81989793

modules/jabber/accounts.php ec89d9a..5c4aa83
modules/jabber/save.php 4e7b3e7..5968b45

modules/jabber/accounts.php

Zeige Datei @ 88386ee

@@ -5,6 +5,8 @@ require_once('session/start.php');
 require_once('domains.php');
 require_once('jabberaccounts.php');
 
+require_once('inc/security.php');
+
 require_role(ROLE_CUSTOMER);
 
 DEBUG("GET: ".htmlentities(print_r($_GET, true))." / POST: ".htmlentities(print_r($_POST, true)));
@@ -19,8 +21,9 @@ output("<h3>Jabber-Accounts</h3>
 
 foreach ($jabberaccounts as $acc)
 {
-  $domain = get_domain_name($acc['domain']);
-  output("<tr><td>{$acc['local']}@$domain</td><td>".internal_link('chpass.php', 'Passwort ändern', 'account='.$acc['id'])."&nbsp;&nbsp;&nbsp;".internal_link('save.php', 'Löschen', 'action=delete&account='.$acc['id']).'</td></tr>');
+  $local = filter_input_general($acc['local']);
+  $domain = filter_input_general( get_domain_name($acc['domain']) );
+  output("<tr><td>{$local}@$domain</td><td>".internal_link('chpass.php', 'Passwort ändern', 'account='.$acc['id'])."&nbsp;&nbsp;&nbsp;".internal_link('save.php', 'Löschen', 'action=delete&account='.$acc['id']).'</td></tr>');
 }
 
 output('</table>

modules/jabber/save.php

Zeige Datei @ 88386ee

@@ -5,6 +5,9 @@ require_once('session/start.php');
 require_once('domains.php');
 require_once('jabberaccounts.php');
 
+require_once('inc/security.php');
+
+
 require_role(ROLE_CUSTOMER);
 
 require_once("inc/debug.php");
@@ -47,7 +50,7 @@ elseif ($_GET['action'] == 'chpass')
 elseif ($_GET['action'] == 'delete')
 {
   $account = get_jabberaccount_details($_GET['account']);
-  $account_string = $account['local'].'@'.$account['domain'];
+  $account_string = filter_input_general( $account['local'].'@'.$account['domain'] );
   $sure = user_is_sure();
   if ($sure === NULL)
   {


...	...	@@ -5,6 +5,9 @@ require_once('session/start.php');
5	5	require_once('domains.php');
6	6	require_once('jabberaccounts.php');
7	7
	8	+require_once('inc/security.php');
	9	+
	10	+
8	11	require_role(ROLE_CUSTOMER);
9	12
10	13	require_once("inc/debug.php");
...	...	@@ -47,7 +50,7 @@ elseif ($_GET['action'] == 'chpass')
47	50	elseif ($_GET['action'] == 'delete')
48	51	{
49	52	$account = get_jabberaccount_details($_GET['account']);
50		- $account_string = $account['local'].'@'.$account['domain'];
	53	+ $account_string = filter_input_general( $account['local'].'@'.$account['domain'] );
51	54	$sure = user_is_sure();
52	55	if ($sure === NULL)
53	56	{
54	57

...	...	@@ -5,6 +5,8 @@ require_once('session/start.php');
5	5	require_once('domains.php');
6	6	require_once('jabberaccounts.php');
7	7
	8	+require_once('inc/security.php');
	9	+
8	10	require_role(ROLE_CUSTOMER);
9	11
10	12	DEBUG("GET: ".htmlentities(print_r($_GET, true))." / POST: ".htmlentities(print_r($_POST, true)));
...	...	@@ -19,8 +21,9 @@ output("<h3>Jabber-Accounts</h3>
19	21
20	22	foreach ($jabberaccounts as $acc)
21	23	{
22		- $domain = get_domain_name($acc['domain']);
23		- output("<tr><td>{$acc['local']}@$domain</td><td>".internal_link('chpass.php', 'Passwort ändern', 'account='.$acc['id'])."   ".internal_link('save.php', 'Löschen', 'action=delete&account='.$acc['id']).'</td></tr>');
	24	+ $local = filter_input_general($acc['local']);
	25	+ $domain = filter_input_general( get_domain_name($acc['domain']) );
	26	+ output("<tr><td>{$local}@$domain</td><td>".internal_link('chpass.php', 'Passwort ändern', 'account='.$acc['id'])."   ".internal_link('save.php', 'Löschen', 'action=delete&account='.$acc['id']).'</td></tr>');
24	27	}
25	28
26	29	output('</table>