webinterface.git

accept integer parameters in filter_*() and use filter_output_html() in html_* functions
Parent 133f76a
Bernd Wurst

Bernd Wurst commited on 2019-10-14 11:50:19
Zeige 3 geänderte Dateien mit 10 Einfügungen und 6 Löschungen.

inc/base.php
Zeige Datei @ 902c39b
... ... 
@@ -422,8 +422,8 @@ function html_select($name, $options, $default='', $free='')
422 422 
         if ($default == $key) {
423 423 
             $selected = ' selected="selected" ';
424 424 
         }
425 
-        $key = filter_input_general($key);
426 
-        $value = filter_input_general($value);
425 
+        $key = filter_output_html($key);
426 
+        $value = filter_output_html($value);
427 427 
         $ret .= "  <option value=\"{$key}\"{$selected}>{$value}</option>\n";
428 428 
     }
429 429 
     $ret .= '</select>';
inc/error.php
Zeige Datei @ 902c39b
... ... 
@@ -75,7 +75,7 @@ function get_messages()
75 75 
     <ul>
76 76 
     ';
77 77 
         foreach ($input_error as $error) {
78 
-            $messages .= '<li>'.nl2br(filter_input_general($error))."</li>\n";
78 
+            $messages .= '<li>'.nl2br(filter_output_html($error))."</li>\n";
79 79 
         }
80 80 
         $messages .= '</ul>
81 81 
     </div>';
... ... 
@@ -85,7 +85,7 @@ function get_messages()
85 85 
     <ul>
86 86 
     ';
87 87 
         foreach ($_SESSION['warning'] as $msg) {
88 
-            $messages .= '<li>'.nl2br(filter_input_general($msg))."</li>\n";
88 
+            $messages .= '<li>'.nl2br(filter_output_html($msg))."</li>\n";
89 89 
         }
90 90 
         $messages .= '</ul>
91 91 
     </div>';
... ... 
@@ -96,7 +96,7 @@ function get_messages()
96 96 
     <ul>
97 97 
     ';
98 98 
         foreach ($_SESSION['success_msg'] as $msg) {
99 
-            $messages .= '<li>'.nl2br(filter_input_general($msg))."</li>\n";
99 
+            $messages .= '<li>'.nl2br(filter_output_html($msg))."</li>\n";
100 100 
         }
101 101 
         $messages .= '</ul>
102 102 
     </div>';
inc/security.php
Zeige Datei @ 902c39b
... ... 
@@ -59,6 +59,7 @@ function filter_input_general($input)
59 59 
     if ($input === null) {
60 60 
         return null;
61 61 
     }
62 
+    $input = (string) $input;
62 63 
     $filtered = preg_replace('/[\x00-\x09\x0b-\x0c\x0e-\x1f]/', '', $input);
63 64 
     if ($filtered !== $input) {
64 65 
         system_failure("Ihre Daten enthielten ungültige Zeichen!");
... ... 
@@ -72,10 +73,11 @@ function filter_input_oneline($input)
72 73 
     if ($input === null) {
73 74 
         return null;
74 75 
     }
76 
+    $input = (string) $input;
75 77 
     $filtered = preg_replace('/[\x00-\x1f]/', '', $input);
76 78 
     if ($filtered !== $input) {
77 79 
         system_failure("Ihre Daten enthielten ungültige Zeichen!");
78 
-        logger(LOG_WARNING, 'inc/security', 'filter_input_general', 'Ungültige Daten!');
80 
+        logger(LOG_WARNING, 'inc/security', 'filter_input_oneline', 'Ungültige Daten!');
79 81 
     }
80 82 
     return $filtered;
81 83 
 }
... ... 
@@ -89,6 +91,7 @@ function filter_output_html($data)
89 91
90 92 
 function verify_input_ascii($data)
91 93 
 {
94 
+    $data = (string) $data;
92 95 
     $filtered = filter_var($data, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
93 96 
     if ($filtered != $data) {
94 97 
         logger(LOG_WARNING, 'inc/security', 'verify_input_ascii', 'Ungültige Daten: '.$data);
... ... 
@@ -100,6 +103,7 @@ function verify_input_ascii($data)
100 103
101 104 
 function verify_input_identifier($data)
102 105 
 {
106 
+    $data = (string) $data;
103 107 
     if ($data === "") {
104 108 
         system_failure("Leerer Bezeichner");
105 109 
     }
106 110