Umstellung von filter_input_general() auf filter_output_html()
Bernd Wurst commited on 2019-09-21 17:07:54
Zeige 49 geänderte Dateien mit 179 Einfügungen und 156 Löschungen.
- inc/security.php 7a90082..6e60c08
- modules/adddomain/save.php 3a8e5c2..195dd6d
- modules/contacts/edit.php 9bf1330..baffe97
- modules/contacts/include/contacts.php 933d88d..c79e1aa
- modules/contacts/save.php ff5d33f..dcf7cb5
- modules/contract/include/contract.php 86c6ef9..71a81ef
- modules/dns/dns_domain.php 1be3636..eaacf51
- modules/dns/dns_record_edit.php d9c303f..57792a8
- modules/dns/dyndns_hostnames.php 48e9f34..87121d2
- modules/dns/include/dnsinclude.php dadd6f2..5ef0ac2
- modules/domains/adddomain.php f303527..7278061
- modules/domains/domainreg.php 6df3650..87ee284
- modules/domains/useexternal.php 35dc473..e46cf45
- modules/email/edit.php 45d3cb0..bcae204
- modules/email/imap.php 28c32f1..18ba029
- modules/email/include/vmail.php 52dfb4e..78890c3
- modules/email/suspend.php 536e05a..fdabb43
- modules/email/vmail.php eb46929..53674d5
- modules/email/vmailoverview.php 1c38cb3..39e15f6
- modules/ftpusers/include/ftpusers.php 900b66c..a3a7455
- modules/gitolite/edit.php 6e78da8..be88ad9
- modules/gitolite/git.php 22c3869..05d47f5
- modules/gitolite/include/git.php de0b906..58238ed
- modules/gitolite/newkey.php 2ec9e6c..9606b50
- modules/index/cert.php a9b0cd6..303838f
- modules/index/certsave.php 7531163..d41d96d
- modules/invoice/html.php bf546b4..66b49fd
- modules/invoice/printablehtml.php 3b73b28..57d4d1f
- modules/jabber/accounts.php b842068..d992144
- modules/jabber/save.php 4926fed..db21de7
- modules/mailman/include/mailman.php d780d62..a5c5459
- modules/mailman/lists.php c2c9533..6ac205f
- modules/mysql/description.php 4a640c5..0da97c9
- modules/mysql/include/mysql.php 56f7596..ccca646
- modules/mysql/overview.php d95313d..028f4b7
- modules/newsletter/newsletter.php 7985085..562d3ec
- modules/newsletter/save.php a825a20..4066d18
- modules/su/su.php 1388772..4768379
- modules/systemuser/account.php e26443a..074e818
- modules/systemuser/include/useraccounts.php 57e0c32..46ccf2d
- modules/systemuser/myaccount.php f3d1e90..11bf7fe
- modules/systemuser/save.php 68bd3a9..38eec27
- modules/vhosts/certs.php c9a1aee..77b3c98
- modules/vhosts/include/certs.php 1a72f5c..5536ca3
- modules/vhosts/vhosts.php 5b2875c..34b3271
- modules/webapps/requestupdate.php 335a929..8f7d0fd
- modules/webmailtotp/generate.php 213461e..ac6b9f6
- modules/webmailtotp/setup.php bb8a837..5c1963c
- modules/webmailtotp/test.php b685ec1..46452e7
| ... | ... |
@@ -59,18 +59,25 @@ function filter_input_general($input) |
| 59 | 59 |
if ($input === null) {
|
| 60 | 60 |
return null; |
| 61 | 61 |
} |
| 62 |
- return htmlspecialchars(iconv('UTF-8', 'UTF-8', $input), ENT_QUOTES, 'UTF-8');
|
|
| 62 |
+ $filtered = preg_replace('/[\x00-\x09\x0b-\x0c\x0e-\x1f]/', '', $input);
|
|
| 63 |
+ if ($filtered !== $input) {
|
|
| 64 |
+ system_failure("Ihre Daten enthielten ungültige Zeichen!");
|
|
| 65 |
+ logger(LOG_WARNING, 'inc/security', 'filter_input_general', 'Ungültige Daten!'); |
|
| 66 |
+ } |
|
| 67 |
+ return $filtered; |
|
| 63 | 68 |
} |
| 64 | 69 |
|
| 65 |
- |
|
| 66 |
-function verify_input_general($input) |
|
| 70 |
+function filter_input_oneline($input) |
|
| 67 | 71 |
{
|
| 68 |
- if (filter_input_general($input) !== $input) {
|
|
| 72 |
+ if ($input === null) {
|
|
| 73 |
+ return null; |
|
| 74 |
+ } |
|
| 75 |
+ $filtered = preg_replace('/[\x00-\x1f]/', '', $input);
|
|
| 76 |
+ if ($filtered !== $input) {
|
|
| 69 | 77 |
system_failure("Ihre Daten enthielten ungültige Zeichen!");
|
| 70 |
- logger(LOG_WARNING, 'inc/security', 'verify_input_general', 'Ungültige Daten: '.$input); |
|
| 71 |
- } else {
|
|
| 72 |
- return $input; |
|
| 78 |
+ logger(LOG_WARNING, 'inc/security', 'filter_input_general', 'Ungültige Daten!'); |
|
| 73 | 79 |
} |
| 80 |
+ return $filtered; |
|
| 74 | 81 |
} |
| 75 | 82 |
|
| 76 | 83 |
|
| ... | ... |
@@ -80,6 +87,31 @@ function filter_output_html($data) |
| 80 | 87 |
} |
| 81 | 88 |
|
| 82 | 89 |
|
| 90 |
+function verify_input_ascii($data) |
|
| 91 |
+{
|
|
| 92 |
+ $filtered = filter_var($data, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH); |
|
| 93 |
+ if ($filtered != $data) {
|
|
| 94 |
+ logger(LOG_WARNING, 'inc/security', 'verify_input_ascii', 'Ungültige Daten: '.$data); |
|
| 95 |
+ system_failure("Ihre Eingabe enthielt ungültige Zeichen");
|
|
| 96 |
+ } |
|
| 97 |
+ return $filtered; |
|
| 98 |
+} |
|
| 99 |
+ |
|
| 100 |
+ |
|
| 101 |
+function verify_input_identifier($data) |
|
| 102 |
+{
|
|
| 103 |
+ if ($data === "") {
|
|
| 104 |
+ system_failure("Leerer Bezeichner");
|
|
| 105 |
+ } |
|
| 106 |
+ $filtered = preg_replace("/[^[:alnum:]\_\.\-]/", "", $data);
|
|
| 107 |
+ if ($filtered !== $data) {
|
|
| 108 |
+ logger(LOG_WARNING, 'inc/security', 'verify_input_identifier', 'Ungültige Daten: '.$data); |
|
| 109 |
+ system_failure("Ihre Daten enthielten ungültige Zeichen!");
|
|
| 110 |
+ |
|
| 111 |
+ } |
|
| 112 |
+ return $filtered; |
|
| 113 |
+} |
|
| 114 |
+ |
|
| 83 | 115 |
|
| 84 | 116 |
function filter_input_username($input) |
| 85 | 117 |
{
|
| ... | ... |
@@ -102,12 +134,9 @@ function verify_input_username($input) |
| 102 | 134 |
|
| 103 | 135 |
function filter_input_hostname($input, $wildcard=false) |
| 104 | 136 |
{
|
| 105 |
- // FIXME: Eine "filter"-Funktion sollte keinen system_failure verursachen sondern einfach einen bereinigten String liefern. |
|
| 106 |
- |
|
| 107 | 137 |
DEBUG('filter_input_hostname("'.$input.'", $wildcard='.$wildcard.')');
|
| 108 | 138 |
$input = strtolower($input); |
| 109 |
- $input = rtrim($input, "\t\n\r\x00 ."); |
|
| 110 |
- $input = ltrim($input, "\t\n\r\x00 ."); |
|
| 139 |
+ $input = trim($input, "\t\n\r\x00 ."); |
|
| 111 | 140 |
if (preg_replace("/[^.]_/", "", $input) != $input) {
|
| 112 | 141 |
system_failure("Der Unterstrich ist nur als erstes Zeichen eines Hostnames erlaubt.");
|
| 113 | 142 |
} |
| ... | ... |
@@ -142,7 +171,7 @@ function verify_input_hostname_utf8($input) |
| 142 | 171 |
system_failure("Ungültiger Hostname! idn ".$input);
|
| 143 | 172 |
} |
| 144 | 173 |
$filter = filter_var($puny, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME); |
| 145 |
- if ($filter === false) {
|
|
| 174 |
+ if ($filter !== $puny) {
|
|
| 146 | 175 |
system_failure("Ungültiger Hostname! filter ".$input);
|
| 147 | 176 |
} |
| 148 | 177 |
} |
| ... | ... |
@@ -31,6 +31,6 @@ check_form_token('adddomain_add');
|
| 31 | 31 |
|
| 32 | 32 |
register_domain($_REQUEST['domain'], $_REQUEST['uid']); |
| 33 | 33 |
|
| 34 |
-success_msg('Domain »'.filter_input_general($_REQUEST['domain']).'« wurde eingetragen!');
|
|
| 34 |
+success_msg('Domain »'.filter_output_html($_REQUEST['domain']).'« wurde eingetragen!');
|
|
| 35 | 35 |
|
| 36 | 36 |
redirect('search');
|
| ... | ... |
@@ -61,26 +61,26 @@ $buttons = '<span class="buttonset" id="buttonset-salutation"> |
| 61 | 61 |
<input type="radio" name="salutation" id="salutation-frau" value="Frau" '.($c['salutation'] === 'Frau' ? 'checked="checked"' : '').'/> |
| 62 | 62 |
<label for="salutation-frau">Frau</label>'; |
| 63 | 63 |
$html .= ' <tr class="'.($odd == true ? 'odd' : 'even').'"><td>Bevorzugte Anrede:</td><td>'.$buttons.'</td></tr>'; |
| 64 |
-$html .= ' <tr class="'.($odd == true ? 'odd' : 'even').'"><td>Firmenname:</td><td><input type="text" name="firma" id="firma" value="'.$c['company'].'" '.$readonly.' /></td></tr>'; |
|
| 64 |
+$html .= ' <tr class="'.($odd == true ? 'odd' : 'even').'"><td>Firmenname:</td><td><input type="text" name="firma" id="firma" value="'.filter_output_html($c['company']).'" '.$readonly.' /></td></tr>'; |
|
| 65 | 65 |
$odd = !$odd; |
| 66 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td>'.($c['company'] ? 'Ansprechpartner' : 'Name').':</td><td><input type="text" name="name" id="name" value="'.$c['name'].'" '.$readonly.' /></td></tr>'; |
|
| 66 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td>'.($c['company'] ? 'Ansprechpartner' : 'Name').':</td><td><input type="text" name="name" id="name" value="'.filter_output_html($c['name']).'" '.$readonly.' /></td></tr>'; |
|
| 67 | 67 |
$odd = !$odd; |
| 68 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="adresse">Adresse:</label></td><td><textarea rows="3" name="adresse" id="adresse">'.$c['address'].'</textarea></td></tr>'; |
|
| 68 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="adresse">Adresse:</label></td><td><textarea rows="3" name="adresse" id="adresse">'.filter_output_html($c['address']).'</textarea></td></tr>'; |
|
| 69 | 69 |
$odd = !$odd; |
| 70 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="plz">Land / PLZ:</label></td><td><input size="2" type="text" name="land" id="land" value="'.$c['country'].'" '.$readonly.' />-</strong><input type="text" name="plz" id="plz" value="'.$c['zip'].'"></td></tr>'; |
|
| 70 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="plz">Land / PLZ:</label></td><td><input size="2" type="text" name="land" id="land" value="'.filter_output_html($c['country']).'" '.$readonly.' />-</strong><input type="text" name="plz" id="plz" value="'.filter_output_html($c['zip']).'"></td></tr>'; |
|
| 71 | 71 |
$odd = !$odd; |
| 72 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="ort">Ort:</label></td><td><input type="text" name="ort" id="ort" value="'.$c['city'].'"></td></tr>'; |
|
| 72 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="ort">Ort:</label></td><td><input type="text" name="ort" id="ort" value="'.filter_output_html($c['city']).'"></td></tr>'; |
|
| 73 | 73 |
$odd = !$odd; |
| 74 | 74 |
|
| 75 | 75 |
|
| 76 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="email">E-Mail-Adresse:</label></td><td><input type="text" name="email" id="email" value="'.$c['email'].'"></td></tr>'; |
|
| 76 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="email">E-Mail-Adresse:</label></td><td><input type="text" name="email" id="email" value="'.filter_output_html($c['email']).'"></td></tr>'; |
|
| 77 | 77 |
$odd = !$odd; |
| 78 | 78 |
|
| 79 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="telefon">Telefonnummer:</label></td><td><input type="text" name="telefon" id="telefon" value="'.$c['phone'].'"><span id="telefon_feedback"></span></td></tr>'; |
|
| 79 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="telefon">Telefonnummer:</label></td><td><input type="text" name="telefon" id="telefon" value="'.filter_output_html($c['phone']).'"><span id="telefon_feedback"></span></td></tr>'; |
|
| 80 | 80 |
$odd = !$odd; |
| 81 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="telefon">Mobil:</label></td><td><input type="text" name="mobile" id="mobile" value="'.$c['mobile'].'"><span id="mobile_feedback"></span></td></tr>'; |
|
| 81 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="telefon">Mobil:</label></td><td><input type="text" name="mobile" id="mobile" value="'.filter_output_html($c['mobile']).'"><span id="mobile_feedback"></span></td></tr>'; |
|
| 82 | 82 |
$odd = !$odd; |
| 83 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="telefon">Telefax:</label></td><td><input type="text" name="telefax" id="telefax" value="'.$c['fax'].'"><span id="telefax_feedback"></span></td></tr>'; |
|
| 83 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="telefon">Telefax:</label></td><td><input type="text" name="telefax" id="telefax" value="'.filter_output_html($c['fax']).'"><span id="telefax_feedback"></span></td></tr>'; |
|
| 84 | 84 |
$odd = !$odd; |
| 85 | 85 |
|
| 86 | 86 |
if ($domains) {
|
| ... | ... |
@@ -93,9 +93,9 @@ if ($domains) {
|
| 93 | 93 |
<input type="radio" name="usepgp" id="usepgp-no" value="no" '.($c['pgp_id'] ? '' : 'checked="checked"').'/> |
| 94 | 94 |
<label for="usepgp-no">kein PGP</label>'; |
| 95 | 95 |
$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="buttonset-usepgp">PGP-Verschlüsselung:</label></td><td>'.$buttons.'</td></tr>'; |
| 96 |
- $html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="pgpid">PGP-Key-ID:</label></td><td><input type="text" name="pgpid" id="pgpid" value="'.$c['pgp_id'].'" size="40"><button id="searchpgp" type="button">Auf Keyserver suchen</button><span id="pgpid_feedback"></span></td></tr>'; |
|
| 96 |
+ $html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="pgpid">PGP-Key-ID:</label></td><td><input type="text" name="pgpid" id="pgpid" value="'.filter_output_html($c['pgp_id']).'" size="40"><button id="searchpgp" type="button">Auf Keyserver suchen</button><span id="pgpid_feedback"></span></td></tr>'; |
|
| 97 | 97 |
$odd = !$odd; |
| 98 |
-$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="pgpkey">PGP-Key (ASCII-Armored):</label></td><td><textarea name="pgpkey" id="pgpkey">'.$c['pgp_key'].'</textarea></td></tr>'; |
|
| 98 |
+$html .= '<tr class="'.($odd == true ? 'odd' : 'even').'"><td><label for="pgpkey">PGP-Key (ASCII-Armored):</label></td><td><textarea name="pgpkey" id="pgpkey">'.filter_output_html($c['pgp_key']).'</textarea></td></tr>'; |
|
| 99 | 99 |
$odd = !$odd; |
| 100 | 100 |
|
| 101 | 101 |
$html .= '<tr class="even"><td> </td><td><input type="submit" value="Speichern" /></td></tr>'; |
| ... | ... |
@@ -118,7 +118,7 @@ if ($domains) {
|
| 118 | 118 |
output('<p>Folgende Domains sind von dieser Änderung betroffen:</p>
|
| 119 | 119 |
<ul>'); |
| 120 | 120 |
foreach ($domains as $dom) {
|
| 121 |
- output('<li>'.$dom->fqdn.'</li>');
|
|
| 121 |
+ output('<li>'.filter_output_html($dom->fqdn).'</li>');
|
|
| 122 | 122 |
} |
| 123 | 123 |
output('</ul>');
|
| 124 | 124 |
} |
| ... | ... |
@@ -416,27 +416,27 @@ function domainlist_by_contact($c) |
| 416 | 416 |
|
| 417 | 417 |
function contact_as_string($contact) |
| 418 | 418 |
{
|
| 419 |
- $adresse = nl2br("\n".filter_input_general($contact['address'])."\n".filter_input_general($contact['country']).'-'.filter_input_general($contact['zip']).' '.filter_input_general($contact['city']));
|
|
| 419 |
+ $adresse = nl2br(filter_output_html("\n".$contact['address']."\n".$contact['country'].'-'.$contact['zip'].' '.$contact['city']));
|
|
| 420 | 420 |
if (! $contact['city']) {
|
| 421 | 421 |
$adresse = ''; |
| 422 | 422 |
} |
| 423 |
- $name = filter_input_general($contact['name']); |
|
| 423 |
+ $name = filter_output_html($contact['name']); |
|
| 424 | 424 |
if ($contact['company']) {
|
| 425 |
- $name = filter_input_general($contact['company'])."<br />".filter_input_general($contact['name']); |
|
| 425 |
+ $name = filter_output_html($contact['company'])."<br />".filter_output_html($contact['name']); |
|
| 426 | 426 |
} |
| 427 |
- $email = filter_input_general($contact['email']); |
|
| 427 |
+ $email = filter_output_html($contact['email']); |
|
| 428 | 428 |
$new_email = update_pending($contact['id']); |
| 429 | 429 |
if ($new_email) {
|
| 430 |
- $email = "<strike>$email</strike><br/>".filter_input_general($new_email).footnote('Die E-Mail-Adresse wurde noch nicht bestätigt');
|
|
| 430 |
+ $email = "<strike>$email</strike><br/>".filter_output_html($new_email).footnote('Die E-Mail-Adresse wurde noch nicht bestätigt');
|
|
| 431 | 431 |
} |
| 432 |
- $email = implode("<br>\n", array_filter(array($email, filter_input_general($contact['phone']), filter_input_general($contact['fax']), filter_input_general($contact['mobile']))));
|
|
| 432 |
+ $email = implode("<br>\n", array_filter(array($email, filter_output_html($contact['phone']), filter_output_html($contact['fax']), filter_output_html($contact['mobile']))));
|
|
| 433 | 433 |
$pgp = ''; |
| 434 | 434 |
if ($contact['pgp_id']) {
|
| 435 | 435 |
$pgpid = $contact['pgp_id']; |
| 436 | 436 |
if (strlen($pgpid) > 20) {
|
| 437 | 437 |
$pgpid = substr($pgpid, 0, 20).' '.substr($pgpid, 20); |
| 438 | 438 |
} |
| 439 |
- $pgp = '<p class="contact-pgp">'.other_icon('key.png').' PGP ID:<br>'.$pgpid.'</p>';
|
|
| 439 |
+ $pgp = '<p class="contact-pgp">'.other_icon('key.png').' PGP ID:<br>'.filter_output_html($pgpid).'</p>';
|
|
| 440 | 440 |
} |
| 441 | 441 |
|
| 442 | 442 |
$contact_string = "<p class=\"contact-id\">#{$contact['id']}</p><p class=\"contact-address\"><strong>$name</strong>$adresse</p><p class=\"contact-contact\">$email</p>$pgp";
|
| ... | ... |
@@ -92,14 +92,14 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
|
| 92 | 92 |
} elseif ($_REQUEST['salutation'] == 'Frau') {
|
| 93 | 93 |
$c['salutation'] = 'Frau'; |
| 94 | 94 |
} |
| 95 |
- $c['company'] = verify_input_general(maybe_null($_REQUEST['firma'])); |
|
| 96 |
- $c['name'] = verify_input_general(maybe_null($_REQUEST['name'])); |
|
| 97 |
- $c['address'] = verify_input_general(maybe_null($_REQUEST['adresse'])); |
|
| 98 |
- $c['country'] = verify_input_general(maybe_null(strtoupper($_REQUEST['land']))); |
|
| 99 |
- $c['zip'] = verify_input_general(maybe_null($_REQUEST['plz'])); |
|
| 100 |
- $c['city'] = verify_input_general(maybe_null($_REQUEST['ort'])); |
|
| 95 |
+ $c['company'] = filter_input_general(maybe_null($_REQUEST['firma'])); |
|
| 96 |
+ $c['name'] = filter_input_general(maybe_null($_REQUEST['name'])); |
|
| 97 |
+ $c['address'] = filter_input_general(maybe_null($_REQUEST['adresse'])); |
|
| 98 |
+ $c['country'] = filter_input_oneline(maybe_null(strtoupper($_REQUEST['land']))); |
|
| 99 |
+ $c['zip'] = filter_input_oneline(maybe_null($_REQUEST['plz'])); |
|
| 100 |
+ $c['city'] = filter_input_oneline(maybe_null($_REQUEST['ort'])); |
|
| 101 | 101 |
if ($new && isset($_REQUEST['email'])) {
|
| 102 |
- $c['email'] = verify_input_general(maybe_null($_REQUEST['email'])); |
|
| 102 |
+ $c['email'] = filter_input_oneline(maybe_null($_REQUEST['email'])); |
|
| 103 | 103 |
if (!check_emailaddr($c['email'])) {
|
| 104 | 104 |
system_failure("Ungültige E-Mail-Adresse!");
|
| 105 | 105 |
} |
| ... | ... |
@@ -107,7 +107,7 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
|
| 107 | 107 |
|
| 108 | 108 |
|
| 109 | 109 |
if (isset($_REQUEST['telefon']) && $_REQUEST['telefon'] != '') {
|
| 110 |
- $num = format_number(verify_input_general($_REQUEST['telefon']), $_REQUEST['land']); |
|
| 110 |
+ $num = format_number(filter_input_oneline($_REQUEST['telefon']), $_REQUEST['land']); |
|
| 111 | 111 |
if ($num) {
|
| 112 | 112 |
$c['phone'] = $num; |
| 113 | 113 |
} else {
|
| ... | ... |
@@ -117,9 +117,13 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
|
| 117 | 117 |
$c['phone'] = null; |
| 118 | 118 |
} |
| 119 | 119 |
if (isset($_REQUEST['mobile']) && $_REQUEST['mobile'] != '') {
|
| 120 |
- $num = format_number(verify_input_general($_REQUEST['mobile']), $_REQUEST['land']); |
|
| 120 |
+ $num = format_number(filter_input_oneline($_REQUEST['mobile']), $_REQUEST['land']); |
|
| 121 | 121 |
if ($num) {
|
| 122 | 122 |
$c['mobile'] = $num; |
| 123 |
+ if (! $c['phone']) {
|
|
| 124 |
+ // dupliziere die Mobiltelefonnummer als normale Nummer wegen der Nutzung als Domainhandles |
|
| 125 |
+ $c['phone'] = $num; |
|
| 126 |
+ } |
|
| 123 | 127 |
} else {
|
| 124 | 128 |
system_failure('Die eingegebene Mobiltelefonnummer scheint nicht gültig zu sein!');
|
| 125 | 129 |
} |
| ... | ... |
@@ -127,7 +131,7 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
|
| 127 | 131 |
$c['mobile'] = null; |
| 128 | 132 |
} |
| 129 | 133 |
if (isset($_REQUEST['telefax']) && $_REQUEST['telefax'] != '') {
|
| 130 |
- $num = format_number(verify_input_general($_REQUEST['telefax']), $_REQUEST['land']); |
|
| 134 |
+ $num = format_number(filter_input_oneline($_REQUEST['telefax']), $_REQUEST['land']); |
|
| 131 | 135 |
if ($num) {
|
| 132 | 136 |
$c['fax'] = $num; |
| 133 | 137 |
} else {
|
| ... | ... |
@@ -188,9 +192,9 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
|
| 188 | 192 |
$id = save_contact($c); |
| 189 | 193 |
$c['id'] = $id; |
| 190 | 194 |
|
| 191 |
- if (isset($_REQUEST['email']) && ($new || $c['email'] != $_REQUEST['email'])) {
|
|
| 195 |
+ if (isset($_REQUEST['email']) && check_emailaddr($_REQUEST['email']) && ($new || $c['email'] != $_REQUEST['email'])) {
|
|
| 192 | 196 |
if (have_mailaddress($_REQUEST['email'])) {
|
| 193 |
- save_emailaddress($c['id'], verify_input_general($_REQUEST['email'])); |
|
| 197 |
+ save_emailaddress($c['id'], $_REQUEST['email']); |
|
| 194 | 198 |
} else {
|
| 195 | 199 |
send_emailchange_token($c['id'], $_REQUEST['email']); |
| 196 | 200 |
} |
| ... | ... |
@@ -37,12 +37,12 @@ function contract_html() |
| 37 | 37 |
|
| 38 | 38 |
$kundenkontakte = get_kundenkontakte(); |
| 39 | 39 |
$kunde = get_contact($kundenkontakte['kunde']); |
| 40 |
- $adresse = nl2br("\n".filter_input_general($kunde['address'])."\n".filter_input_general($kunde['country']).'-'.filter_input_general($kunde['zip']).' '.filter_input_general($kunde['city']));
|
|
| 41 |
- $name = filter_input_general($kunde['name']); |
|
| 40 |
+ $adresse = nl2br("\n".filter_output_html($kunde['address']."\n".$kunde['country'].'-'.$kunde['zip'].' '.$kunde['city']));
|
|
| 41 |
+ $name = filter_output_html($kunde['name']); |
|
| 42 | 42 |
if ($kunde['company']) {
|
| 43 |
- $name = filter_input_general($kunde['company'])."<br />".filter_input_general($kunde['name']); |
|
| 43 |
+ $name = filter_output_html($kunde['company'])."<br />".filter_output_html($kunde['name']); |
|
| 44 | 44 |
} |
| 45 |
- $email = filter_input_general($kunde['email']); |
|
| 45 |
+ $email = filter_output_html($kunde['email']); |
|
| 46 | 46 |
$address = "<strong>$name</strong>$adresse</p><p>E-Mail-Adresse: $email"; |
| 47 | 47 |
|
| 48 | 48 |
$date = date('d.m.Y');
|
| ... | ... |
@@ -30,8 +30,8 @@ $domain->ensure_userdomain(); |
| 30 | 30 |
|
| 31 | 31 |
DEBUG($domain); |
| 32 | 32 |
|
| 33 |
-title('DNS-Records für '.filter_input_general($domain->fqdn));
|
|
| 34 |
-headline('DNS-Records für <em>'.filter_input_general($domain->fqdn).'</em>');
|
|
| 33 |
+title('DNS-Records für '.filter_output_html($domain->fqdn));
|
|
| 34 |
+headline('DNS-Records für <em>'.filter_output_html($domain->fqdn).'</em>');
|
|
| 35 | 35 |
|
| 36 | 36 |
if ($domain->provider != 'terions' || $domain->billing != 'regular' || $domain->registrierungsdatum == null || $domain->kuendigungsdatum != null) {
|
| 37 | 37 |
$state = check_dns($domain->domainname, $domain->tld); |
| ... | ... |
@@ -58,7 +58,7 @@ output('<table><tr><th>Hostname</th><th>Typ</th><th>IP-Adresse/Inhalt</th><th>TT
|
| 58 | 58 |
'); |
| 59 | 59 |
foreach ($records as $rec) {
|
| 60 | 60 |
$editable = true; |
| 61 |
- $data = filter_input_general($rec['ip'] ? $rec['ip'] : $rec['data']); |
|
| 61 |
+ $data = filter_output_html($rec['ip'] ? $rec['ip'] : $rec['data']); |
|
| 62 | 62 |
if ($rec['dyndns']) {
|
| 63 | 63 |
if ($domain->fqdn == config('masterdomain')) {
|
| 64 | 64 |
$data = '<em>DynDNS #'.(int) $rec['dyndns'].'</em>'; |
| ... | ... |
@@ -68,7 +68,7 @@ foreach ($records as $rec) {
|
| 68 | 68 |
if ($dyndns === null) {
|
| 69 | 69 |
$data = '<em>DynDNS #'.(int) $rec['dyndns'].' (nicht Ihr Account)</em>'; |
| 70 | 70 |
} else {
|
| 71 |
- $data = internal_link('dyndns_edit', '<em>DynDNS #'.(int) $rec['dyndns'].' ('.filter_input_general($dyndns['handle']).')</em>', 'id='.(int) $rec['dyndns']);
|
|
| 71 |
+ $data = internal_link('dyndns_edit', '<em>DynDNS #'.(int) $rec['dyndns'].' ('.filter_output_html($dyndns['handle']).')</em>', 'id='.(int) $rec['dyndns']);
|
|
| 72 | 72 |
} |
| 73 | 73 |
} |
| 74 | 74 |
} |
| ... | ... |
@@ -97,7 +97,7 @@ foreach ($records as $rec) {
|
| 97 | 97 |
output("<tr><td>{$link}</td><td>".strtoupper($rec['type'])."</td><td>".$data."</td><td>{$ttl} Sek.</td><td>".$delete."</td></tr>\n");
|
| 98 | 98 |
} |
| 99 | 99 |
foreach ($auto_records as $rec) {
|
| 100 |
- $data = filter_input_general($rec['ip'] ? $rec['ip'] : $rec['data']); |
|
| 100 |
+ $data = filter_output_html($rec['ip'] ? $rec['ip'] : $rec['data']); |
|
| 101 | 101 |
$ttl = ($rec['ttl'] ? $rec['ttl'] : 3600); |
| 102 | 102 |
output("<tr><td><em>{$rec['fqdn']}</em></td><td>".strtoupper($rec['type'])."</td><td>$data</td><td>{$ttl} Sek.</td><td> </td></tr>\n");
|
| 103 | 103 |
} |
| ... | ... |
@@ -118,7 +118,7 @@ if ($type == 'ptr' || $type == 'cname') {
|
| 118 | 118 |
|
| 119 | 119 |
if ($type == 'spf' || $type == 'txt') {
|
| 120 | 120 |
$form .= ' |
| 121 |
-<tr><td><label for="data">Inhalt:</label></td><td><input type="text" name="data" id="data" value="'.filter_input_general($data['data']).'" /></td></tr> |
|
| 121 |
+<tr><td><label for="data">Inhalt:</label></td><td><input type="text" name="data" id="data" value="'.filter_output_html($data['data']).'" /></td></tr> |
|
| 122 | 122 |
'; |
| 123 | 123 |
} |
| 124 | 124 |
|
| ... | ... |
@@ -140,7 +140,7 @@ if ($type == 'sshfp') {
|
| 140 | 140 |
|
| 141 | 141 |
$form .= ' |
| 142 | 142 |
<tr><td><label for="spec">Algorithmus:</label></td><td><select name="spec" id="spec">'.$option.'</select></td></tr> |
| 143 |
-<tr><td><label for="data">Fingerabdruck:</label></td><td><input type="text" name="data" id="data" value="'.$data['data'].'" /></td></tr> |
|
| 143 |
+<tr><td><label for="data">Fingerabdruck:</label></td><td><input type="text" name="data" id="data" value="'.filter_output_html($data['data']).'" /></td></tr> |
|
| 144 | 144 |
'; |
| 145 | 145 |
} |
| 146 | 146 |
|
| ... | ... |
@@ -25,7 +25,7 @@ require_once('dnsinclude.php');
|
| 25 | 25 |
$section = 'dns_dyndns'; |
| 26 | 26 |
$dyndns = get_dyndns_account($_REQUEST['id']); |
| 27 | 27 |
|
| 28 |
-title("Hostnames für DynDNS-Account ".filter_input_general($dyndns['handle']));
|
|
| 28 |
+title("Hostnames für DynDNS-Account ".filter_output_html($dyndns['handle']));
|
|
| 29 | 29 |
|
| 30 | 30 |
$available_domains = array(); |
| 31 | 31 |
|
| ... | ... |
@@ -53,7 +53,7 @@ if ($records) {
|
| 53 | 53 |
|
| 54 | 54 |
output('<h4>Neuen Hostname festlegen</h4>');
|
| 55 | 55 |
|
| 56 |
-$form = '<p><label for="hostname">Neuer Hostname: </label> <input type="text" name="hostname" id="hostname" value="'.$dyndns['handle'].'" /> . '.html_select('domain', $available_domains).' </p>
|
|
| 56 |
+$form = '<p><label for="hostname">Neuer Hostname: </label> <input type="text" name="hostname" id="hostname" value="'.filter_output_html($dyndns['handle']).'" /> . '.html_select('domain', $available_domains).' </p>
|
|
| 57 | 57 |
<p>Typ: <select name="type"><option value="a" selected="selected">A / IPv4</option><option value="aaaa">AAAA / IPv6</option></select></p> |
| 58 | 58 |
<p><input type="submit" value="Speichern"/></p>'; |
| 59 | 59 |
|
| ... | ... |
@@ -62,7 +62,7 @@ function create_dyndns_account($handle, $password_http, $sshkey) |
| 62 | 62 |
system_failure('Sie müssen entweder einen SSH-Key oder ein Passwort zum Web-Update eingeben.');
|
| 63 | 63 |
} |
| 64 | 64 |
|
| 65 |
- $handle = filter_input_username($handle); |
|
| 65 |
+ $handle = verify_input_identifier($handle); |
|
| 66 | 66 |
|
| 67 | 67 |
if (strlen(trim($sshkey)) == 0) {
|
| 68 | 68 |
$sshkey = null; |
| ... | ... |
@@ -94,9 +94,9 @@ function edit_dyndns_account($id, $handle, $password_http, $sshkey) |
| 94 | 94 |
{
|
| 95 | 95 |
$id = (int) $id; |
| 96 | 96 |
$oldaccount = get_dyndns_account($id); |
| 97 |
- $handle = filter_input_username($handle); |
|
| 98 |
- $sshkey = filter_input_general($sshkey); |
|
| 99 |
- if (chop($sshkey) == '') {
|
|
| 97 |
+ $handle = verify_input_identifier($handle); |
|
| 98 |
+ $sshkey = verify_input_ascii($sshkey); |
|
| 99 |
+ if (trim($sshkey) == '') {
|
|
| 100 | 100 |
$sshkey = null; |
| 101 | 101 |
} |
| 102 | 102 |
|
| ... | ... |
@@ -41,10 +41,10 @@ if (isset($_REQUEST['domain'])) {
|
| 41 | 41 |
if (substr($request, 0, 4) == 'www.') {
|
| 42 | 42 |
$request = str_replace('www.', '', $request);
|
| 43 | 43 |
} |
| 44 |
- verify_input_general($request); |
|
| 44 |
+ verify_input_hostname_utf8($request); |
|
| 45 | 45 |
$punycode = idn_to_ascii($request, 0, INTL_IDNA_VARIANT_UTS46); |
| 46 | 46 |
if (!check_domain($punycode)) {
|
| 47 |
- warning("Ungültiger Domainname: ".filter_input_general($request));
|
|
| 47 |
+ warning("Ungültiger Domainname: ".filter_output_html($request));
|
|
| 48 | 48 |
redirect('');
|
| 49 | 49 |
} |
| 50 | 50 |
$dom = new Domain(); |
| ... | ... |
@@ -58,7 +58,7 @@ if (isset($_REQUEST['domain'])) {
|
| 58 | 58 |
} |
| 59 | 59 |
$avail = api_domain_available($request); |
| 60 | 60 |
if ($avail['status'] == 'available') {
|
| 61 |
- output('<p class="domain-available">Die Domain '.filter_input_general($request).' ist verfügbar!</p>');
|
|
| 61 |
+ output('<p class="domain-available">Die Domain '.filter_output_html($request).' ist verfügbar!</p>');
|
|
| 62 | 62 |
# Neue Domain eintragen |
| 63 | 63 |
$data = get_domain_offer($avail['domainSuffix']); |
| 64 | 64 |
if ($data === false) {
|
| ... | ... |
@@ -66,20 +66,20 @@ if (isset($_REQUEST['domain'])) {
|
| 66 | 66 |
} else {
|
| 67 | 67 |
$form = '<p>Folgende Konditionen gelten bei Registrierung der Domain im nächsten Schritt:</p> |
| 68 | 68 |
<table> |
| 69 |
- <tr><td>Domainname:</td><td><strong>'.filter_input_general($request).'</strong></td></tr> |
|
| 69 |
+ <tr><td>Domainname:</td><td><strong>'.filter_output_html($request).'</strong></td></tr> |
|
| 70 | 70 |
<tr><td>Jahresgebühr:</td><td style="text-align: right;">'.$data['gebuehr'].' €'.footnote('Bruttobetrag inkl. 19% deutsche USt. Nettopreise für innergemeinschaftlichen Handel können vom Support eingetragen werden.').'</td></tr>';
|
| 71 | 71 |
if ($data['setup']) {
|
| 72 | 72 |
$form .= '<tr><td>Setup-Gebühr (einmalig):</td><td style="text-align: right;">'.$data['setup'].' €'.footnote('Bruttobetrag inkl. 19% deutsche USt. Nettopreise für innergemeinschaftlichen Handel können vom Support eingetragen werden.').'</td></tr>';
|
| 73 | 73 |
} |
| 74 | 74 |
$form .='</table>'; |
| 75 | 75 |
|
| 76 |
- $form .= '<p><input type="hidden" name="domain" value="'.filter_input_general($request).'"> |
|
| 76 |
+ $form .= '<p><input type="hidden" name="domain" value="'.filter_output_html($request).'"> |
|
| 77 | 77 |
<input type="submit" name="submit" value="Ich möchte diese Domain registrieren"></p>'; |
| 78 | 78 |
output(html_form('domains_register', 'domainreg', '', $form));
|
| 79 | 79 |
output('<p>'.internal_link('domains', 'Zurück').'</p>');
|
| 80 | 80 |
} |
| 81 | 81 |
} elseif ($avail['status'] == 'registered' || $avail['status'] == 'alreadyRegistered') {
|
| 82 |
- output('<p class="domain-unavailable">Die Domain '.filter_input_general($request).' ist bereits vergeben.</p>');
|
|
| 82 |
+ output('<p class="domain-unavailable">Die Domain '.filter_output_html($request).' ist bereits vergeben.</p>');
|
|
| 83 | 83 |
|
| 84 | 84 |
output('<h3>Domain zu '.config('company_name').' umziehen</h3>');
|
| 85 | 85 |
if ($avail['status'] == 'registered' && $avail['transferMethod'] != 'authInfo') {
|
| ... | ... |
@@ -92,7 +92,7 @@ if (isset($_REQUEST['domain'])) {
|
| 92 | 92 |
} else {
|
| 93 | 93 |
$form = '<p>Folgende Konditionen gelten beim Transfer der Domain im nächsten Schritt:</p> |
| 94 | 94 |
<table> |
| 95 |
- <tr><td>Domainname:</td><td><strong>'.filter_input_general($avail['domainNameUnicode']).'</strong></td></tr> |
|
| 95 |
+ <tr><td>Domainname:</td><td><strong>'.filter_output_html($avail['domainNameUnicode']).'</strong></td></tr> |
|
| 96 | 96 |
<tr><td>Jahresgebühr:</td><td style="text-align: right;">'.$data['gebuehr'].' €'.footnote('Bruttobetrag inkl. 19% deutsche USt. Nettopreise für innergemeinschaftlichen Handel können vom Support eingetragen werden.').'</td></tr>';
|
| 97 | 97 |
if ($data['setup']) {
|
| 98 | 98 |
$form .= '<tr><td>Setup-Gebühr (einmalig):</td><td style="text-align: right;">'.$data['setup'].' €'.footnote('Bruttobetrag inkl. 19% deutsche USt. Nettopreise für innergemeinschaftlichen Handel können vom Support eingetragen werden.').'</td></tr>';
|
| ... | ... |
@@ -100,7 +100,7 @@ if (isset($_REQUEST['domain'])) {
|
| 100 | 100 |
$form .='</table>'; |
| 101 | 101 |
|
| 102 | 102 |
|
| 103 |
- $form .= '<p><input type="hidden" name="domain" value="'.filter_input_general($avail['domainNameUnicode']).'"> |
|
| 103 |
+ $form .= '<p><input type="hidden" name="domain" value="'.filter_output_html($avail['domainNameUnicode']).'"> |
|
| 104 | 104 |
<input type="submit" name="submit" value="Ich möchte diese Domain zu '.config('company_name').' umziehen"></p>';
|
| 105 | 105 |
|
| 106 | 106 |
output(html_form('domains_transferin', 'domainreg', '', $form));
|
| ... | ... |
@@ -126,12 +126,12 @@ if (isset($_REQUEST['domain'])) {
|
| 126 | 126 |
<label for="option-email-disable">Nicht für E-Mail nutzen</label> |
| 127 | 127 |
</p>'; |
| 128 | 128 |
|
| 129 |
- $form .= '<p><input type="hidden" name="domain" value="'.filter_input_general($request).'"> |
|
| 129 |
+ $form .= '<p><input type="hidden" name="domain" value="'.filter_output_html($request).'"> |
|
| 130 | 130 |
<input type="submit" name="submit" value="Diese Domain bei '.config('company_name').' verwenden"></p>';
|
| 131 | 131 |
|
| 132 | 132 |
output(html_form('domains_external', 'useexternal', '', $form));
|
| 133 | 133 |
} else {
|
| 134 |
- output('<p class="domain-unavailable">Die Domain '.filter_input_general($request).' kann nicht registriert werden.</p>');
|
|
| 134 |
+ output('<p class="domain-unavailable">Die Domain '.filter_output_html($request).' kann nicht registriert werden.</p>');
|
|
| 135 | 135 |
|
| 136 | 136 |
switch ($avail['status']) {
|
| 137 | 137 |
case 'nameContainsForbiddenCharacter': |
| ... | ... |
@@ -34,10 +34,10 @@ if (isset($_REQUEST['domain'])) {
|
| 34 | 34 |
if (substr($request, 0, 4) == 'www.') {
|
| 35 | 35 |
$request = str_replace('www.', '', $request);
|
| 36 | 36 |
} |
| 37 |
- verify_input_general($request); |
|
| 37 |
+ verify_input_hostname_utf8($request); |
|
| 38 | 38 |
$punycode = idn_to_ascii($request, 0, INTL_IDNA_VARIANT_UTS46); |
| 39 | 39 |
if (!check_domain($punycode)) {
|
| 40 |
- warning("Ungültiger Domainname: ".filter_input_general($request));
|
|
| 40 |
+ warning("Ungültiger Domainname: ".filter_output_html($request));
|
|
| 41 | 41 |
redirect('adddomain');
|
| 42 | 42 |
} |
| 43 | 43 |
$dom = new Domain(); |
| ... | ... |
@@ -170,7 +170,7 @@ $form .='</table>'; |
| 170 | 170 |
$form .= '<p>Mit dieser Bestellung geben Sie eine verbindliche Willenserklärung ab, diese Domain registrieren zu wollen. Sie treten in ein Vertragsverhältnis zu '.config('company_name').' unter dem Vorbehalt, dass die Domain registriert werden kann. Die Hoheit über die Vergabe der Domains hat die jeweils zuständige Registrierungsstelle. Es gelten die Vergabe-Bedingungen der jeweils zuständigen Registrierungsstelle.</p>
|
| 171 | 171 |
<p>Der Domain-Vertrag beginnt mit Zuteilung der Domain durch die Regisrierungsstelle und läuft jeweils '.$pricedata['interval'].' Monate. Er verlängert sich stets automatisch um weitere '.$pricedata['interval'].' Monate, wenn nicht bis 14 Tage vor Ende der Laufzeit eine Kündigung vorliegt.</p>'; |
| 172 | 172 |
|
| 173 |
-$form .= '<p><input type="hidden" name="domain" value="'.filter_input_general($dom->fqdn).'"> |
|
| 173 |
+$form .= '<p><input type="hidden" name="domain" value="'.filter_output_html($dom->fqdn).'"> |
|
| 174 | 174 |
<input type="submit" name="submit" value="Kostenpflichtigen Vertrag abschließen"></p>'; |
| 175 | 175 |
output(html_form('domains_domainreg', 'domainreg_save', '', $form));
|
| 176 | 176 |
output('<p>'.internal_link('domains', 'Zurück').'</p>');
|
| ... | ... |
@@ -30,10 +30,10 @@ $request = idn_to_utf8($_REQUEST['domain'], 0, INTL_IDNA_VARIANT_UTS46); |
| 30 | 30 |
if (substr($request, 0, 4) == 'www.') {
|
| 31 | 31 |
$request = str_replace('www.', '', $request);
|
| 32 | 32 |
} |
| 33 |
-verify_input_general($request); |
|
| 33 |
+verify_input_hostname_utf8($request); |
|
| 34 | 34 |
$punycode = idn_to_ascii($request, 0, INTL_IDNA_VARIANT_UTS46); |
| 35 | 35 |
if (!check_domain($punycode)) {
|
| 36 |
- warning("Ungültiger Domainname: ".filter_input_general($request));
|
|
| 36 |
+ warning("Ungültiger Domainname: ".filter_output_html($request));
|
|
| 37 | 37 |
redirect('');
|
| 38 | 38 |
} |
| 39 | 39 |
|
| ... | ... |
@@ -39,7 +39,7 @@ if ($_SESSION['role'] == ROLE_VMAIL_ACCOUNT) {
|
| 39 | 39 |
$id = get_vmail_id_by_emailaddr($_SESSION['mailaccount']); |
| 40 | 40 |
$account = get_account_details($id, false); |
| 41 | 41 |
$accountlogin = true; |
| 42 |
- $accountname = filter_input_general($_SESSION['mailaccount']); |
|
| 42 |
+ $accountname = filter_output_html($_SESSION['mailaccount']); |
|
| 43 | 43 |
} |
| 44 | 44 |
|
| 45 | 45 |
|
| ... | ... |
@@ -79,7 +79,7 @@ if (! $accountlogin) {
|
| 79 | 79 |
$domain = (int) $_GET['domain']; |
| 80 | 80 |
} |
| 81 | 81 |
$form .= " |
| 82 |
- <p><strong>E-Mail-Adresse:</strong> <input type=\"text\" name=\"local\" id=\"local\" size=\"10\" value=\"{$account['local']}\" /><strong style=\"font-size: 1.5em;\"> @ </strong>".domainselect($domain)."</p>";
|
|
| 82 |
+ <p><strong>E-Mail-Adresse:</strong> <input type=\"text\" name=\"local\" id=\"local\" size=\"10\" value=\"".filter_output_html($account['local'])."\" /><strong style=\"font-size: 1.5em;\"> @ </strong>".domainselect($domain)."</p>"; |
|
| 83 | 83 |
} |
| 84 | 84 |
$password_message = ''; |
| 85 | 85 |
$password_value = ''; |
| ... | ... |
@@ -150,10 +150,7 @@ $form .= "<p><input type=\"radio\" name=\"ar_valid_until\" value=\"infinity\" id |
| 150 | 150 |
"<input type=\"text\" value=\"$enddate\" id=\"ar_enddate\" name=\"ar_enddate\" /><br/><small>(Automatische Antworten sind nur befristet erlaubt. Benötigen Sie langfristig funktionierende automatische Antworten, sprechen Sie unsere Administratoren bitte an, dann suchen wir eine Lösung.)</small></p>"; |
| 151 | 151 |
*/ |
| 152 | 152 |
|
| 153 |
-$subject = filter_input_general($ar['subject']); |
|
| 154 |
-if ($subject == null) {
|
|
| 155 |
- $subject = ''; |
|
| 156 |
-} |
|
| 153 |
+$subject = filter_output_html($ar['subject']); |
|
| 157 | 154 |
$ar_subject_default_checked = ($subject == null) ? ' checked="checked"' : ''; |
| 158 | 155 |
$ar_subject_custom_checked = ($subject) ? ' checked="checked"' : ''; |
| 159 | 156 |
$form .= "<h4>Betreffzeile der automatischen Antwort</h4>". |
| ... | ... |
@@ -162,9 +159,9 @@ $form .= "<h4>Betreffzeile der automatischen Antwort</h4>". |
| 162 | 159 |
"<input type=\"radio\" name=\"ar_subject\" value=\"custom\" id=\"ar_subject_custom\"{$ar_subject_custom_checked} /> ".
|
| 163 | 160 |
"<label for=\"ar_subject_custom\">Anderer Betreff:</label> <input type=\"text\" name=\"ar_subject_value\" id=\"ar_subject_value\" value=\"{$subject}\"/></p>";
|
| 164 | 161 |
|
| 165 |
-$message = filter_input_general($ar['message']); |
|
| 162 |
+$message = filter_output_html($ar['message']); |
|
| 166 | 163 |
$form .= "<h4>Inhalt der automatischen Antwort</h4>". |
| 167 |
- "<p><textarea cols=\"80\" rows=\"10\" name=\"ar_message\" id=\"ar_message\">".filter_input_general($ar['message'])."</textarea></p>"; |
|
| 164 |
+ "<p><textarea cols=\"80\" rows=\"10\" name=\"ar_message\" id=\"ar_message\">{$message}</textarea></p>";
|
|
| 168 | 165 |
$quote = $ar['quote']; |
| 169 | 166 |
if (! $quote) {
|
| 170 | 167 |
$quote = 'none'; |
| ... | ... |
@@ -178,7 +175,7 @@ $form .= "<p><label for=\"ar_quote\">Originalnachricht des Absenders </label>". |
| 178 | 175 |
|
| 179 | 176 |
$ar_from_default_checked = ($ar['fromname'] == null) ? ' checked="checked"' : ''; |
| 180 | 177 |
$ar_from_custom_checked = ($ar['fromname'] != null) ? ' checked="checked"' : ''; |
| 181 |
-$fromname = filter_input_general($ar['fromname']); |
|
| 178 |
+$fromname = filter_output_html($ar['fromname']); |
|
| 182 | 179 |
$form .= "<h4>Absender der automatischen Antwort</h4>". |
| 183 | 180 |
"<p><input type=\"radio\" name=\"ar_from\" value=\"default\" id=\"ar_from_default\"{$ar_from_default_checked} /> <label for=\"ar_from_default\">Nur E-Mail-Adresse</label><br />".
|
| 184 | 181 |
"<input type=\"radio\" name=\"ar_from\" value=\"custom\" id=\"ar_from_custom\"{$ar_from_custom_checked} /> <label for=\"ar_from_custom\">Mit Name: </label> ".
|
| ... | ... |
@@ -211,7 +208,7 @@ for ($i = 0 ; $i < max($numforwards, 10) ; $i++) {
|
| 211 | 208 |
$num = $i+1; |
| 212 | 209 |
$form .= "<div class=\"vmail-forward\" id=\"vmail_forward_{$num}\">
|
| 213 | 210 |
<div style=\"float: right;\" class=\"delete_forward\">".icon_delete("Diese Weiterleitung entfernen")."</div>
|
| 214 |
- <p>Weiterleiten an <input type=\"text\" id=\"forward_to_{$num}\" name=\"forward_to_{$num}\" value=\"{$account['forwards'][$i]['destination']}\" /></p>
|
|
| 211 |
+ <p>Weiterleiten an <input type=\"text\" id=\"forward_to_{$num}\" name=\"forward_to_{$num}\" value=\"".filter_output_html($account['forwards'][$i]['destination'])."\" /></p>
|
|
| 215 | 212 |
</div>\n"; |
| 216 | 213 |
} |
| 217 | 214 |
$form .= '</div>'; |
| ... | ... |
@@ -125,10 +125,10 @@ if (isset($_GET['action']) && $_GET['action'] == 'save') {
|
| 125 | 125 |
<p>Soll der folgende Account wirklich gelöscht werden?</p> |
| 126 | 126 |
<table style="margin-bottom: 1em;"> |
| 127 | 127 |
<tr><td>Benutzername:</td> |
| 128 |
- <td>'.filter_input_general($account['account']).'</td> |
|
| 128 |
+ <td>'.filter_output_html($account['account']).'</td> |
|
| 129 | 129 |
</tr> |
| 130 | 130 |
<tr><td>Mailbox:</td> |
| 131 |
- <td>'.filter_input_general($account['mailbox']).'</td> |
|
| 131 |
+ <td>'.filter_output_html($account['mailbox']).'</td> |
|
| 132 | 132 |
</tr> |
| 133 | 133 |
<tr><td>Konto aktiv:</td> |
| 134 | 134 |
<td>'.$enabled.'</td> |
| ... | ... |
@@ -265,9 +265,8 @@ function save_vmail_account($account) |
| 265 | 265 |
$forwards = array(); |
| 266 | 266 |
if (count($account['forwards']) > 0) {
|
| 267 | 267 |
for ($i = 0 ; $i < count($account['forwards']) ; $i++) {
|
| 268 |
- $account['forwards'][$i]['destination'] = filter_input_general($account['forwards'][$i]['destination']); |
|
| 269 | 268 |
if (! check_emailaddr($account['forwards'][$i]['destination'])) {
|
| 270 |
- system_failure('Das Weiterleitungs-Ziel »'.$account['forwards'][$i]['destination'].'« ist keine E-Mail-Adresse!');
|
|
| 269 |
+ system_failure('Das Weiterleitungs-Ziel »'.filter_output_html($account['forwards'][$i]['destination']).'« ist keine E-Mail-Adresse!');
|
|
| 271 | 270 |
} |
| 272 | 271 |
} |
| 273 | 272 |
} |
| ... | ... |
@@ -44,7 +44,7 @@ output('<p>Mit dieser Funktion können Sie eine E-Mail-Adresse stilllegen (so we
|
| 44 | 44 |
<p><strong>Wichtig:</strong> Dieses Verfahren funktioniert nur, wenn die E-Mails wirklich nicht angenommen werden (Annahme wird verweigert), somit sind keine Weiterleitung und keine Speicherung möglich. Sie können aber natürlich im Text auf eine andere E-Mail-Adresse hinweisen.</p>'); |
| 45 | 45 |
|
| 46 | 46 |
$form = "<h4>Text der Fehlermeldung</h4>". |
| 47 |
- "<p><textarea cols=\"80\" rows=\"10\" name=\"smtpreply\" id=\"smtpreply\">".filter_input_general($account['smtpreply'])."</textarea></p>"; |
|
| 47 |
+ "<p><textarea cols=\"80\" rows=\"10\" name=\"smtpreply\" id=\"smtpreply\">".filter_output_html($account['smtpreply'])."</textarea></p>"; |
|
| 48 | 48 |
|
| 49 | 49 |
$form .= '<p><input id="submit" type="submit" value="Speichern" />    '; |
| 50 | 50 |
if ($suspended) {
|
| ... | ... |
@@ -136,8 +136,7 @@ Subdomains können grundsätzlich nur durch Administratoren eingerichtet und ver |
| 136 | 136 |
} |
| 137 | 137 |
} |
| 138 | 138 |
foreach ($acc['forwards'] as $fwd) {
|
| 139 |
- $fwd['destination'] = filter_input_general($fwd['destination']); |
|
| 140 |
- array_push($actions, "Weiterleitung an <strong>{$fwd['destination']}</strong>");
|
|
| 139 |
+ array_push($actions, "Weiterleitung an <strong>".filter_output_html($fwd['destination'])."</strong>"); |
|
| 141 | 140 |
} |
| 142 | 141 |
$dest = ''; |
| 143 | 142 |
if (count($actions) > 0) {
|
| ... | ... |
@@ -148,10 +147,10 @@ Subdomains können grundsätzlich nur durch Administratoren eingerichtet und ver |
| 148 | 147 |
$dest .= '</ul>'; |
| 149 | 148 |
} |
| 150 | 149 |
if ($acc['smtpreply']) {
|
| 151 |
- output('<p><strike>'.$acc['local'].'@'.$this_account['domainname'].'</strike> '.internal_link("save", '<img src="'.$prefix.'images/delete.png" alt="löschen" title="Dieses Konto löschen"/>', "action=delete&id=".$acc['id']).'</p>');
|
|
| 150 |
+ output('<p><strike>'.$filter_output_html(acc['local'].'@'.$this_account['domainname']).'</strike> '.internal_link("save", '<img src="'.$prefix.'images/delete.png" alt="löschen" title="Dieses Konto löschen"/>', "action=delete&id=".$acc['id']).'</p>');
|
|
| 152 | 151 |
output("<ul><li>".icon_disabled()." Diese Adresse ist stillgelegt. <strong>".internal_link('suspend', 'Stilllegung ändern/aufheben', 'account='.$acc['id']).'</strong></li></ul>');
|
| 153 | 152 |
} else {
|
| 154 |
- output('<p>'.internal_link('edit', $acc['local'].'@'.$this_account['domainname'], 'id='.$acc['id']).' '.internal_link("save", '<img src="'.$prefix.'images/delete.png" alt="löschen" title="Dieses Konto löschen"/>', "action=delete&id=".$acc['id']).'</p>');
|
|
| 153 |
+ output('<p>'.internal_link('edit', filter_output_html($acc['local'].'@'.$this_account['domainname']), 'id='.$acc['id']).' '.internal_link("save", '<img src="'.$prefix.'images/delete.png" alt="löschen" title="Dieses Konto löschen"/>', "action=delete&id=".$acc['id']).'</p>');
|
|
| 155 | 154 |
output('<p>'.$dest.'</p>');
|
| 156 | 155 |
} |
| 157 | 156 |
} |
| ... | ... |
@@ -167,5 +166,5 @@ Subdomains können grundsätzlich nur durch Administratoren eingerichtet und ver |
| 167 | 166 |
|
| 168 | 167 |
|
| 169 | 168 |
/* FIXME: Das sollte nur kommen, wenn der IMAP/POP3-Menü-Eintrag nicht da ist */ |
| 170 |
- output('<p style="font-size: 90%;padding-top: 0.5em; border-top: 1px solid black;">Hinweis: '.config('company_name').' bietet für fortgeschrittene Nutzer die manuelle Einrichtung von POP3/IMAP-Accounts.<br/>'.internal_link("imap", "Neuen POP3/IMAP-Account anlegen", "action=create").'</p>');
|
|
| 169 |
+ output('<p style="font-size: 90%;padding-top: 0.5em; border-top: 1px solid black;">Hinweis: '.filter_output_html(config('company_name')).' bietet für fortgeschrittene Nutzer die manuelle Einrichtung von POP3/IMAP-Accounts.<br/>'.internal_link("imap", "Neuen POP3/IMAP-Account anlegen", "action=create").'</p>');
|
|
| 171 | 170 |
} |
| ... | ... |
@@ -60,8 +60,7 @@ if ($acc['autoresponder']) {
|
| 60 | 60 |
} |
| 61 | 61 |
|
| 62 | 62 |
foreach ($acc['forwards'] as $fwd) {
|
| 63 |
- $fwd['destination'] = filter_input_general($fwd['destination']); |
|
| 64 |
- $content .= '<p>'.other_icon('go.png')." Weiterleitung an <strong>{$fwd['destination']}</strong></p>";
|
|
| 63 |
+ $content .= '<p>'.other_icon('go.png')." Weiterleitung an <strong>".filter_output_html($fwd['destination'])."</strong></p>";
|
|
| 65 | 64 |
} |
| 66 | 65 |
|
| 67 | 66 |
|
| ... | ... |
@@ -56,7 +56,7 @@ function save_ftpuser($data) |
| 56 | 56 |
if ($data['username'] == '') {
|
| 57 | 57 |
system_failure('Bitte geben Sie eine Erweiterung für den Benutzernamen an!');
|
| 58 | 58 |
} |
| 59 |
- $homedir = filter_input_general($data['homedir']); |
|
| 59 |
+ $homedir = $data['homedir']; |
|
| 60 | 60 |
if (substr($homedir, 0, 1) == '/') {
|
| 61 | 61 |
$homedir = substr($homedir, 1); |
| 62 | 62 |
} |
| ... | ... |
@@ -40,7 +40,7 @@ if (isset($_GET['repo']) && isset($repos[$_GET['repo']])) {
|
| 40 | 40 |
$action = 'editrepo'; |
| 41 | 41 |
title("Zugriff auf GIT-Repository ändern");
|
| 42 | 42 |
output("<p>Legen Sie hier fest, welche Berechtigungen für welche SSH-Keys gelten sollen.</p>");
|
| 43 |
- $form .= '<table><tr><td>Name des Repository</td><td><input type="hidden" name="repo" value="'.filter_input_general($_GET['repo']).'" />'.filter_input_general($_GET['repo']).'</td></tr>'; |
|
| 43 |
+ $form .= '<table><tr><td>Name des Repository</td><td><input type="hidden" name="repo" value="'.filter_output_html($_GET['repo']).'" />'.filter_output_html($_GET['repo']).'</td></tr>'; |
|
| 44 | 44 |
} else {
|
| 45 | 45 |
$action = 'newrepo'; |
| 46 | 46 |
title("Neues GIT-Repository anlegen");
|
| ... | ... |
@@ -87,7 +87,7 @@ $checked = (isset($_GET['repo']) && isset($repos[$_GET['repo']]) && isset($repos |
| 87 | 87 |
$description = (isset($_GET['repo']) && isset($repos[$_GET['repo']])) ? $repos[$_GET['repo']]['description'] : ''; |
| 88 | 88 |
$disabled = $checked ? '' : ' disabled="disabled"'; |
| 89 | 89 |
$form .= '<p><input type="checkbox" name="gitweb" id="gitweb" value="r"'.$checked.' onclick="showDescription()" /> <label for="gitweb">Öffentlicher Lesezugriff via gitweb</label><br /> |
| 90 |
-<label for="description">Beschreibung des Repository:</label> <input type="text" name="description" id="description" value="'.$description.'"'.$disabled.' /></p>'; |
|
| 90 |
+<label for="description">Beschreibung des Repository:</label> <input type="text" name="description" id="description" value="'.filter_output_html($description).'"'.$disabled.' /></p>'; |
|
| 91 | 91 |
$form .= '</td></tr></table>'; |
| 92 | 92 |
$form .= '<p><input type="submit" value="Speichern" /></p>'; |
| 93 | 93 |
|
| ... | ... |
@@ -38,7 +38,7 @@ if (count($repos) == 0) {
|
| 38 | 38 |
} |
| 39 | 39 |
|
| 40 | 40 |
foreach ($repos as $repo => $settings) {
|
| 41 |
- $description = $settings['description'] ? '<br /><em>"'.filter_input_general($settings['description']).'"</em>' : ''; |
|
| 41 |
+ $description = $settings['description'] ? '<br /><em>"'.filter_output_html($settings['description']).'"</em>' : ''; |
|
| 42 | 42 |
$url = get_git_url($repo); |
| 43 | 43 |
$public = isset($settings['users']['gitweb']) && $settings['users']['gitweb'] == 'R'; |
| 44 | 44 |
$public_string = ''; |
| ... | ... |
@@ -120,6 +120,7 @@ function list_repos() |
| 120 | 120 |
} |
| 121 | 121 |
DEBUG("found repo ".$m[1]);
|
| 122 | 122 |
$current_repo = chop($m[1]); |
| 123 |
+ verify_input_identifier($current_repo); |
|
| 123 | 124 |
$current_repo_users = array(); |
| 124 | 125 |
} elseif (preg_match('/^\s*(R|RW|RW\+)\s*=\s*([[:alnum:]][[:alnum:]._-]*)\s*$/', $line, $m) != 0) {
|
| 125 | 126 |
DEBUG("found access rule: ".$m[1]." for ".$m[2]);
|
| ... | ... |
@@ -151,7 +152,9 @@ function list_users() |
| 151 | 152 |
foreach ($lines as $line) {
|
| 152 | 153 |
$m = array(); |
| 153 | 154 |
if (preg_match('_# user ([^]]+)_', $line, $m) != 0) {
|
| 154 |
- $users[] = chop($m[1]); |
|
| 155 |
+ $currentuser = trim($m[1]); |
|
| 156 |
+ verify_input_identifier($currentuser); |
|
| 157 |
+ $users[] = $currentuser; |
|
| 155 | 158 |
} |
| 156 | 159 |
if (preg_match('_^\s*repo .*_', $line) != 0) {
|
| 157 | 160 |
break; |
| ... | ... |
@@ -22,7 +22,7 @@ $section = 'git_git'; |
| 22 | 22 |
|
| 23 | 23 |
$handle = ''; |
| 24 | 24 |
if (isset($_GET['handle'])) {
|
| 25 |
- $handle = filter_input_general($_GET['handle']); |
|
| 25 |
+ $handle = verify_input_identifier($_GET['handle']); |
|
| 26 | 26 |
} |
| 27 | 27 |
|
| 28 | 28 |
$action = ''; |
| ... | ... |
@@ -45,11 +45,11 @@ $userprefix = $_SESSION['userinfo']['username'].'-'; |
| 45 | 45 |
|
| 46 | 46 |
$form .= '<table><tr><td><label for="handle" />Name des Benutzers:</label></td>'; |
| 47 | 47 |
if ($handle) {
|
| 48 |
- $form .= '<td><input type="hidden" name="handle" value="'.str_replace($userprefix, '', $handle).'" /><strong>'.$handle.'</strong></td></tr>'; |
|
| 48 |
+ $form .= '<td><input type="hidden" name="handle" value="'.filter_output_html(str_replace($userprefix, '', $handle)).'" /><strong>'.filter_output_html($handle).'</strong></td></tr>'; |
|
| 49 | 49 |
} else {
|
| 50 | 50 |
$form .= '<td>'.$userprefix.'<input type="text" id="handle" name="handle" value="'.$handle.'" /></td></tr>'; |
| 51 | 51 |
} |
| 52 |
-$form .= '<tr><td><label for="pubkey">SSH-Public-Key:</label></td><td><textarea name="pubkey" id="pubkey" cols="70" rows="10">'.$pubkey.'</textarea></td></tr> |
|
| 52 |
+$form .= '<tr><td><label for="pubkey">SSH-Public-Key:</label></td><td><textarea name="pubkey" id="pubkey" cols="70" rows="10">'.filter_output_html($pubkey).'</textarea></td></tr> |
|
| 53 | 53 |
</table> |
| 54 | 54 |
<p><input type="submit" value="Speichern" /></p> |
| 55 | 55 |
'; |
| ... | ... |
@@ -48,10 +48,10 @@ if (isset($_SESSION['clientcert_cert'])) {
|
| 48 | 48 |
global $menu; |
| 49 | 49 |
output('<div style="margin: 1em; padding: 1em; border: 2px solid green;">');
|
| 50 | 50 |
output('<p>Es wurde folgendes Client-Zertifikat von Ihrem Browser gesendet:</p>
|
| 51 |
-<div style="margin-left: 2em;"><strong>DN:</strong> '.filter_input_general($_SESSION['clientcert_dn']).'<br /> |
|
| 52 |
-<strong>Aussteller-DN:</strong> '.filter_input_general($_SESSION['clientcert_issuer']).'<br /> |
|
| 53 |
-<strong>Seriennummer:</strong> '.filter_input_general($_SESSION['clientcert_serial']).'<br /> |
|
| 54 |
-<strong>Gültigkeit:</strong> '.filter_input_general($_SESSION['clientcert_valid_from']).' bis '.filter_input_general($_SESSION['clientcert_valid_until']).'</div> |
|
| 51 |
+<div style="margin-left: 2em;"><strong>DN:</strong> '.filter_output_html($_SESSION['clientcert_dn']).'<br /> |
|
| 52 |
+<strong>Aussteller-DN:</strong> '.filter_output_html($_SESSION['clientcert_issuer']).'<br /> |
|
| 53 |
+<strong>Seriennummer:</strong> '.filter_output_html($_SESSION['clientcert_serial']).'<br /> |
|
| 54 |
+<strong>Gültigkeit:</strong> '.filter_output_html($_SESSION['clientcert_valid_from']).' bis '.filter_output_html($_SESSION['clientcert_valid_until']).'</div> |
|
| 55 | 55 |
<p>Soll dieses Zertifikat für den Zugang für <strong>'.$username.'</strong> verwendet werden?</p>'); |
| 56 | 56 |
output(html_form('clientcert_add', 'certsave.php', 'action=new', '<p><input type="submit" name="submit" value="Ja, dieses Zertifikat einrichten" />   '.internal_link('cert', 'Nein', 'clear').'</p>'));
|
| 57 | 57 |
output('</div>');
|
| ... | ... |
@@ -64,8 +64,8 @@ if ($certs != null) {
|
| 64 | 64 |
output('<p>Sie haben bereits Zertifikate für den Zugang eingerichtet.</p>
|
| 65 | 65 |
<ul>'); |
| 66 | 66 |
foreach ($certs as $cert) {
|
| 67 |
- output('<li>'.filter_input_general($cert['dn'].' / Seriennummer '.$cert['serial'].' / '.'Gültig von '.$cert['valid_from'].' bis '.$cert['valid_until']).'<br />');
|
|
| 68 |
- output('<em>ausgestellt von </em>'.filter_input_general($cert['issuer']));
|
|
| 67 |
+ output('<li>'.filter_output_html($cert['dn'].' / Seriennummer '.$cert['serial'].' / '.'Gültig von '.$cert['valid_from'].' bis '.$cert['valid_until']).'<br />');
|
|
| 68 |
+ output('<em>ausgestellt von </em>'.filter_output_html($cert['issuer']));
|
|
| 69 | 69 |
output('<br />'.internal_link('certsave', 'Dieses Zertifikat löschen', 'action=delete&id='.$cert['id']));
|
| 70 | 70 |
output('</li>');
|
| 71 | 71 |
} |
| ... | ... |
@@ -63,7 +63,7 @@ if ($_GET['action'] == 'new') {
|
| 63 | 63 |
} |
| 64 | 64 |
$sure = user_is_sure(); |
| 65 | 65 |
if ($sure === null) {
|
| 66 |
- are_you_sure("action=delete&id={$cert['id']}", filter_input_general("Möchten Sie das Zertifikat »{$cert['dn']}« (Seriennummer {$cert['serial']}, Gültig von {$cert['valid_from']} bis {$cert['valid_until']}) wirklich löschen?"));
|
|
| 66 |
+ are_you_sure("action=delete&id={$cert['id']}", filter_output_html("Möchten Sie das Zertifikat »{$cert['dn']}« (Seriennummer {$cert['serial']}, Gültig von {$cert['valid_from']} bis {$cert['valid_until']}) wirklich löschen?"));
|
|
| 67 | 67 |
} elseif ($sure === true) {
|
| 68 | 68 |
delete_clientcert($cert['id']); |
| 69 | 69 |
if (! $debugmode) {
|
| ... | ... |
@@ -24,7 +24,7 @@ $section = 'invoice_current'; |
| 24 | 24 |
title('Rechnung');
|
| 25 | 25 |
output('<p>Detailansicht Ihrer Rechnung. Beachten Sie bitte, dass diese Informationsseite sowie auch ein Ausdruck dieser Seite keine Rechnung darstellt. Ein gültiges Rechnungsdokument stellt lediglich die signierte PDF-Version bzw. eine Papierrechnung dar, die Sie von uns erhalten haben.</p>');
|
| 26 | 26 |
|
| 27 |
-$invoice_id = (int) filter_input_general($_GET['id']); |
|
| 27 |
+$invoice_id = (int) $_GET['id']; |
|
| 28 | 28 |
|
| 29 | 29 |
output("<p>Für eine druckbare Version benutzen Sie bitte die Ausgabe ".internal_link("pdf", "als PDF-Datei <img src=\"{$prefix}images/pdf.png\" width=\"22\" height=\"22\" alt=\"PDF\"/>", "id={$invoice_id}").".</p>
|
| 30 | 30 |
<p> </p>"); |
| ... | ... |
@@ -43,7 +43,7 @@ foreach ($jabberaccounts as $acc) {
|
| 43 | 43 |
if (! $lastactivity) {
|
| 44 | 44 |
$lastactivity = 'Bisher nie verwendet'; |
| 45 | 45 |
} |
| 46 |
- $local = filter_input_general($acc['local']); |
|
| 46 |
+ $local = filter_output_html($acc['local']); |
|
| 47 | 47 |
$domain = new Domain((int) $acc['domain']); |
| 48 | 48 |
if ($domain->id == null) {
|
| 49 | 49 |
$domain = new Domain(); |
| ... | ... |
@@ -57,10 +57,10 @@ if ($_GET['action'] == 'new') {
|
| 57 | 57 |
$section = 'jabber_accounts'; |
| 58 | 58 |
|
| 59 | 59 |
$account = get_jabberaccount_details($_GET['account']); |
| 60 |
- $account_string = filter_input_general($account['local'].'@'.$account['domain']); |
|
| 60 |
+ $account_string = $account['local'].'@'.$account['domain']; |
|
| 61 | 61 |
$sure = user_is_sure(); |
| 62 | 62 |
if ($sure === null) {
|
| 63 |
- are_you_sure("action=delete&account={$_GET['account']}", "Möchten Sie den Account »{$account_string}« wirklich löschen?");
|
|
| 63 |
+ are_you_sure("action=delete&account={$_GET['account']}", "Möchten Sie den Account »".filter_output_html($account_string})."« wirklich löschen?");
|
|
| 64 | 64 |
} elseif ($sure === true) {
|
| 65 | 65 |
delete_jabber_account($account['id']); |
| 66 | 66 |
if (! $debugmode) {
|
| ... | ... |
@@ -71,7 +71,6 @@ function create_list($listname, $maildomain, $admin) |
| 71 | 71 |
{
|
| 72 | 72 |
$listname = strtolower($listname); |
| 73 | 73 |
verify_input_username($listname); |
| 74 |
- verify_input_general($admin); |
|
| 75 | 74 |
if (in_array($listname, array("admin", "administrator", "webmaster", "hostmaster", "postmaster"))) {
|
| 76 | 75 |
system_failure('Der Mailinglistenname '.$listname.' ist unzulässig.');
|
| 77 | 76 |
} |
| ... | ... |
@@ -28,7 +28,7 @@ output('<p>Mit <a href="https://www.gnu.org/software/mailman/index.html">Mailman
|
| 28 | 28 |
|
| 29 | 29 |
$filter = ""; |
| 30 | 30 |
if (isset($_REQUEST['filter']) && $_REQUEST['filter'] != '') {
|
| 31 |
- $filter = filter_input_general($_REQUEST['filter']); |
|
| 31 |
+ $filter = $_REQUEST['filter']; |
|
| 32 | 32 |
} |
| 33 | 33 |
$lists = get_lists($filter); |
| 34 | 34 |
|
| ... | ... |
@@ -36,7 +36,7 @@ $lists = get_lists($filter); |
| 36 | 36 |
// Filter-Funktion |
| 37 | 37 |
if (count($lists) > 10 || $filter) {
|
| 38 | 38 |
javascript(); |
| 39 |
- $form = '<p><label for="filter">Filter für die Anzeige:</label> <input type="text" name="filter" id="filter" value="'.$filter.'"><button type="button" id="clear" title="Filter leeren">×</button><input type="submit" value="Filtern!"></p>'; |
|
| 39 |
+ $form = '<p><label for="filter">Filter für die Anzeige:</label> <input type="text" name="filter" id="filter" value="'.filter_output_html($filter).'"><button type="button" id="clear" title="Filter leeren">×</button><input type="submit" value="Filtern!"></p>'; |
|
| 40 | 40 |
output(html_form('mailman_filter', 'lists', '', $form));
|
| 41 | 41 |
} |
| 42 | 42 |
|
| ... | ... |
@@ -37,7 +37,7 @@ if (isset($_GET['db'])) {
|
| 37 | 37 |
} |
| 38 | 38 |
} |
| 39 | 39 |
$form = '<p>Ändern Sie hier die Beschreibung der Datenbank <strong>'.$thisdb['name'].'</strong>.</p>'; |
| 40 |
- $form .= '<p><input type="text" name="description" value="'.filter_input_general($thisdb['description']).'" /></p> |
|
| 40 |
+ $form .= '<p><input type="text" name="description" value="'.filter_output_html($thisdb['description']).'" /></p> |
|
| 41 | 41 |
<p><input type="submit" value="Speichern" /></p>'; |
| 42 | 42 |
output(html_form('mysql_description', 'save', "action=description&db={$thisdb['name']}", $form));
|
| 43 | 43 |
} |
| ... | ... |
@@ -49,7 +49,7 @@ if (isset($_GET['username'])) {
|
| 49 | 49 |
} |
| 50 | 50 |
} |
| 51 | 51 |
$form = '<p>Ändern Sie hier die Beschreibung des DB-Benutzers <strong>'.$thisuser['username'].'</strong>.</p>'; |
| 52 |
- $form .= '<p><input type="text" name="description" value="'.filter_input_general($thisuser['description']).'" /></p> |
|
| 52 |
+ $form .= '<p><input type="text" name="description" value="'.filter_output_html($thisuser['description']).'" /></p> |
|
| 53 | 53 |
<p><input type="submit" value="Speichern" /></p>'; |
| 54 | 54 |
output(html_form('mysql_description', 'save', "action=description&username={$thisuser['username']}", $form));
|
| 55 | 55 |
} |
| ... | ... |
@@ -53,7 +53,7 @@ function set_database_description($dbname, $description) |
| 53 | 53 |
system_failure('Ungültige Datenbank');
|
| 54 | 54 |
} |
| 55 | 55 |
$args = array(":id" => $thisdb['id'],
|
| 56 |
- ":desc" => filter_input_general($description)); |
|
| 56 |
+ ":desc" => filter_input_oneline($description)); |
|
| 57 | 57 |
db_query("UPDATE misc.mysql_database SET description=:desc WHERE id=:id", $args);
|
| 58 | 58 |
} |
| 59 | 59 |
|
| ... | ... |
@@ -70,7 +70,7 @@ function set_dbuser_description($username, $description) |
| 70 | 70 |
system_failure('Ungültiger Benutzer');
|
| 71 | 71 |
} |
| 72 | 72 |
$args = array(":id" => $thisuser['id'],
|
| 73 |
- ":desc" => filter_input_general($description)); |
|
| 73 |
+ ":desc" => filter_input_oneline($description)); |
|
| 74 | 74 |
db_query("UPDATE misc.mysql_accounts SET description=:desc WHERE id=:id", $args);
|
| 75 | 75 |
} |
| 76 | 76 |
|
| ... | ... |
@@ -64,7 +64,7 @@ if (count($dbs) > 0 || count($users) > 0) {
|
| 64 | 64 |
//$username = str_replace('_', '_ ', $user['username']);
|
| 65 | 65 |
$desc = ''; |
| 66 | 66 |
if ($user['description']) {
|
| 67 |
- $desc = '<br /><span style="font-weight: normal; font-size: 80%; font-style: italic;">'.filter_input_general($user['description']).'</span>'; |
|
| 67 |
+ $desc = '<br /><span style="font-weight: normal; font-size: 80%; font-style: italic;">'.filter_output_html($user['description']).'</span>'; |
|
| 68 | 68 |
} |
| 69 | 69 |
output("<th><span title=\"Erstellt: {$user['created']}\">{$username}</span>".$desc);
|
| 70 | 70 |
output("<br />".internal_link('description', other_icon("comment.png", 'Beschreibung ändern'), "username={$username}")." ");
|
| ... | ... |
@@ -78,7 +78,7 @@ if (count($dbs) > 0 || count($users) > 0) {
|
| 78 | 78 |
$phpmyadmin = "https://mysql-{$servers[$db['name']]}/";
|
| 79 | 79 |
$desc = ''; |
| 80 | 80 |
if ($db['description']) {
|
| 81 |
- $desc = '<br /><span style="font-weight: normal; font-size: 80%; font-style: italic;">'.filter_input_general($db['description']).'</span>'; |
|
| 81 |
+ $desc = '<br /><span style="font-weight: normal; font-size: 80%; font-style: italic;">'.filter_output_html($db['description']).'</span>'; |
|
| 82 | 82 |
} |
| 83 | 83 |
output("<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\"><span title=\"Erstellt: {$db['created']}\">{$db['name']}</span>".$desc."<br />");
|
| 84 | 84 |
output(internal_link('description', other_icon("comment.png", 'Datenbank-Beschreibung ändern'), "db={$db['name']}")." ");
|
| ... | ... |
@@ -32,7 +32,7 @@ if (! $oldaddr) {
|
| 32 | 32 |
$no = ' checked="checked" '; |
| 33 | 33 |
} |
| 34 | 34 |
|
| 35 |
-$form = '<p><input type="radio" id="newsletter_yes" name="newsletter" value="yes" '.$yes.' /> <label for="newsletter_yes">Newsletter soll gesendet werden an:</label> <input type="text" name="recipient" id="recipient" value="'.filter_input_general($oldaddr).'" maxlength="255" /></p> |
|
| 35 |
+$form = '<p><input type="radio" id="newsletter_yes" name="newsletter" value="yes" '.$yes.' /> <label for="newsletter_yes">Newsletter soll gesendet werden an:</label> <input type="text" name="recipient" id="recipient" value="'.filter_output_html($oldaddr).'" maxlength="255" /></p> |
|
| 36 | 36 |
<p><input type="radio" id="newsletter_no" name="newsletter" value="no" '.$no.' /> <label for="newsletter_no">Ich möchte gar keinen Newsletter erhalten.</label></p> |
| 37 | 37 |
|
| 38 | 38 |
<p><input type="submit" value="Speichern" /></p>'; |
| ... | ... |
@@ -47,6 +47,6 @@ output("<h3>Vergangene Newsletter</h3>
|
| 47 | 47 |
output("<ul>");
|
| 48 | 48 |
$news = get_latest_news(); |
| 49 | 49 |
foreach ($news as $item) {
|
| 50 |
- output("<li>".internal_link("read", $item['date'].': '.$item['subject'], "id=".$item['id'])."</li>");
|
|
| 50 |
+ output("<li>".internal_link("read", $item['date'].': '.filter_output_html($item['subject']), "id=".$item['id'])."</li>");
|
|
| 51 | 51 |
} |
| 52 | 52 |
output("</ul>");
|
| ... | ... |
@@ -36,7 +36,7 @@ if ((isset($_REQUEST['newsletter']) && $_REQUEST['newsletter'] == 'no') || (isse |
| 36 | 36 |
} |
| 37 | 37 |
} else {
|
| 38 | 38 |
check_form_token('newsletter');
|
| 39 |
- if (! check_emailaddr($_REQUEST['recipient']) || filter_input_general($_REQUEST['recipient']) != $_REQUEST['recipient']) {
|
|
| 39 |
+ if (! check_emailaddr($_REQUEST['recipient'])) {
|
|
| 40 | 40 |
system_failure("Keine gültige E-Mail-Adresse!");
|
| 41 | 41 |
} |
| 42 | 42 |
set_newsletter_address($_REQUEST['recipient']); |
| ... | ... |
@@ -16,7 +16,6 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r |
| 16 | 16 |
|
| 17 | 17 |
require_once('inc/base.php');
|
| 18 | 18 |
require_once('inc/security.php');
|
| 19 |
-require_once('inc/debug.php');
|
|
| 20 | 19 |
|
| 21 | 20 |
require_once('session/start.php');
|
| 22 | 21 |
require_once('su.php');
|
| ... | ... |
@@ -37,7 +36,7 @@ if (isset($_GET['do'])) {
|
| 37 | 36 |
$search = null; |
| 38 | 37 |
if (isset($_POST['query'])) {
|
| 39 | 38 |
check_form_token('su_su');
|
| 40 |
- $id = filter_input_general($_POST['query']); |
|
| 39 |
+ $id = $_POST['query']; |
|
| 41 | 40 |
if (! su(null, $id)) {
|
| 42 | 41 |
$search = $_POST['query']; |
| 43 | 42 |
} |
| ... | ... |
@@ -48,11 +47,6 @@ title("Benutzer wechseln");
|
| 48 | 47 |
output('<p>Hiermit können Sie (als Admin) das Webinterface mit den Rechten eines beliebigen anderen Benutzers benutzen.</p>
|
| 49 | 48 |
'); |
| 50 | 49 |
|
| 51 |
-$debug = ''; |
|
| 52 |
-if ($debugmode) {
|
|
| 53 |
- $debug = 'debug&'; |
|
| 54 |
-} |
|
| 55 |
- |
|
| 56 | 50 |
require_once('inc/jquery.php');
|
| 57 | 51 |
// lädt die JS-Datei mit gleichem basename |
| 58 | 52 |
javascript(); |
| ... | ... |
@@ -63,6 +57,6 @@ output(html_form('su_su', '', '', '<p><label for="query"><strong>Suchtext:</stro
|
| 63 | 57 |
if ($search) {
|
| 64 | 58 |
$allentries = build_results($search); |
| 65 | 59 |
foreach ($allentries as $entry) {
|
| 66 |
- output(" <p><a href=\"?do=".filter_input_general($entry['id'])."\">".filter_input_general($entry['value'])."</a></p>");
|
|
| 60 |
+ output(" <p><a href=\"?do=".filter_output_html($entry['id'])."\">".filter_output_html($entry['value'])."</a></p>");
|
|
| 67 | 61 |
} |
| 68 | 62 |
} |
| ... | ... |
@@ -57,7 +57,7 @@ if (! customer_may_have_useraccounts()) {
|
| 57 | 57 |
} |
| 58 | 58 |
$realname = $acc['name'] ? $acc['name'] : $_SESSION['customerinfo']['name']; |
| 59 | 59 |
$quotastring = implode('', $quota);
|
| 60 |
- output("<tr><td><p><strong>{$acc['username']}</strong> - {$realname}</p><p style=\"color: #555;\">Existiert seit {$acc['erstellungsdatum']}<br />Verwendete Shell: {$shell}</p></td>");
|
|
| 60 |
+ output("<tr><td><p><strong>{$acc['username']}</strong> - ".filter_output_html($realname)."</p><p style=\"color: #555;\">Existiert seit {$acc['erstellungsdatum']}<br />Verwendete Shell: {$shell}</p></td>");
|
|
| 61 | 61 |
output("<td>{$quotastring}</td>");
|
| 62 | 62 |
output("<td>".internal_link('edit', other_icon('user_edit.png', 'Bearbeiten'), "uid={$acc['uid']}"));
|
| 63 | 63 |
|
| ... | ... |
@@ -110,8 +110,8 @@ function set_account_details($account) |
| 110 | 110 |
if ($account['name'] == '') {
|
| 111 | 111 |
$account['name'] = null; |
| 112 | 112 |
} |
| 113 |
- $args = array(":fullname" => filter_input_general($account['name']),
|
|
| 114 |
- ":shell" => filter_input_general($account['shell']), |
|
| 113 |
+ $args = array(":fullname" => filter_input_oneline($account['name']),
|
|
| 114 |
+ ":shell" => filter_input_oneline($account['shell']), |
|
| 115 | 115 |
":quota" => $account['quota'], |
| 116 | 116 |
":uid" => $account['uid'], |
| 117 | 117 |
":customerno" => $customerno); |
| ... | ... |
@@ -53,7 +53,7 @@ foreach ($usedquota as $q) {
|
| 53 | 53 |
$customer = get_customer_info($_SESSION['userinfo']['customerno']); |
| 54 | 54 |
$realname = $acc['name'] ? $acc['name'] : $customer['name']; |
| 55 | 55 |
$quotastring = implode('', $quota);
|
| 56 |
-output("<h5>Stammdaten</h5><div style=\"margin-left: 2em;\"><p>Benutzername: <strong>{$acc['username']}</strong></p><p>Name: {$realname}</p><p>Existiert seit {$acc['erstellungsdatum']}</p><p>Verwendete Shell: {$shell}</p>");
|
|
| 56 |
+output("<h5>Stammdaten</h5><div style=\"margin-left: 2em;\"><p>Benutzername: <strong>{$acc['username']}</strong></p><p>Name: ".filter_output_html($realname)."</p><p>Existiert seit {$acc['erstellungsdatum']}</p><p>Verwendete Shell: {$shell}</p>");
|
|
| 57 | 57 |
output("<p>".internal_link('edit', other_icon('user_edit.png', 'Bearbeiten').' Daten bearbeiten').'</p>');
|
| 58 | 58 |
output("</div>\n");
|
| 59 | 59 |
output("<h5>Speicherplatz</h5><div style=\"margin-left: 2em;\">{$quotastring}</div>");
|
| ... | ... |
@@ -92,7 +92,7 @@ else |
| 92 | 92 |
if ($_POST['defaultname'] == 1) {
|
| 93 | 93 |
$account['name'] = null; |
| 94 | 94 |
} else {
|
| 95 |
- $account['name'] = filter_input_general($_POST['fullname']); |
|
| 95 |
+ $account['name'] = filter_input_oneline($_POST['fullname']); |
|
| 96 | 96 |
} |
| 97 | 97 |
|
| 98 | 98 |
$shells = available_shells(); |
| ... | ... |
@@ -113,7 +113,7 @@ else |
| 113 | 113 |
} elseif ($_GET['action'] == 'delete') {
|
| 114 | 114 |
system_failure("Benutzeraccounts zu löschen ist momentan nicht über diese Oberfläche möglich. Bitte wenden Sie sich an einen Administrator.");
|
| 115 | 115 |
/* |
| 116 |
-$account_string = filter_input_general( $account['local'].'@'.$account['domain'] ); |
|
| 116 |
+$account_string = filter_output_html($account['local'].'@'.$account['domain']); |
|
| 117 | 117 |
$sure = user_is_sure(); |
| 118 | 118 |
if ($sure === NULL) |
| 119 | 119 |
{
|
| ... | ... |
@@ -36,7 +36,7 @@ if (count($certs) > 0) {
|
| 36 | 36 |
} elseif ($c['valid_until'] <= date('Y-m-d', time()+(30*24*3600)) && !cert_is_letsencrypt($c['id'])) {
|
| 37 | 37 |
$style=' style="background-color: #ff8;" '; |
| 38 | 38 |
} |
| 39 |
- output("<tr><td{$style}>".internal_link('showcert', $c['subject'], "mode=cert&id={$c['id']}")."</td><td{$style}>{$c['cn']}</td><td{$style}>{$c['valid_from']}</td><td{$style}>{$c['valid_until']}</td><td>".internal_link('newcert', '<img src="'.$prefix.'images/refresh.png" title="Neue Version des Zertifikats einspielen" />', 'replace='.$c['id'])."   ".internal_link('savecert', '<img src="'.$prefix.'images/delete.png" />', 'action=delete&id='.$c['id'])."</td></tr>");
|
|
| 39 |
+ output("<tr><td{$style}>".internal_link('showcert', filter_output_html($c['subject']), "mode=cert&id={$c['id']}")."</td><td{$style}>".filter_output_html($c['cn'])."</td><td{$style}>{$c['valid_from']}</td><td{$style}>{$c['valid_until']}</td><td>".internal_link('newcert', '<img src="'.$prefix.'images/refresh.png" title="Neue Version des Zertifikats einspielen" />', 'replace='.$c['id'])."   ".internal_link('savecert', '<img src="'.$prefix.'images/delete.png" />', 'action=delete&id='.$c['id'])."</td></tr>");
|
|
| 40 | 40 |
} |
| 41 | 41 |
output("</table>");
|
| 42 | 42 |
} else {
|
| ... | ... |
@@ -226,7 +226,7 @@ function save_cert($info, $cert, $key) |
| 226 | 226 |
|
| 227 | 227 |
db_query( |
| 228 | 228 |
"INSERT INTO vhosts.certs (uid, subject, cn, san, valid_from, valid_until, chain, cert, `key`) VALUES (:uid, :subject, :cn, :san, :valid_from, :valid_until, :chain, :cert, :key)", |
| 229 |
- array(":uid" => $uid, ":subject" => filter_input_general($info['subject']), ":cn" => filter_input_general($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
|
| 229 |
+ array(":uid" => $uid, ":subject" => filter_input_oneline($info['subject']), ":cn" => filter_input_oneline($info['cn']), ":san" => $info['san'], ":valid_from" => $info['valid_from'],
|
|
| 230 | 230 |
":valid_until" => $info['valid_until'], ":chain" => get_chain($cert), ":cert" => $cert, ":key" => $key) |
| 231 | 231 |
); |
| 232 | 232 |
} |
| ... | ... |
@@ -239,8 +239,8 @@ function refresh_cert($id, $info, $cert, $key = null) |
| 239 | 239 |
|
| 240 | 240 |
$id = (int) $id; |
| 241 | 241 |
$oldcert = cert_details($id); |
| 242 |
- $args = array(":subject" => filter_input_general($info['subject']),
|
|
| 243 |
- ":cn" => filter_input_general($info['cn']), |
|
| 242 |
+ $args = array(":subject" => filter_input_oneline($info['subject']),
|
|
| 243 |
+ ":cn" => filter_input_oneline($info['cn']), |
|
| 244 | 244 |
":san" => $info['san'], |
| 245 | 245 |
":cert" => $cert, |
| 246 | 246 |
":valid_from" => $info['valid_from'], |
| ... | ... |
@@ -37,7 +37,7 @@ output("<p>Mit dieser Funktion legen Sie fest, welche Websites verfügbar sein s
|
| 37 | 37 |
|
| 38 | 38 |
$filter = ""; |
| 39 | 39 |
if (isset($_REQUEST['filter']) && $_REQUEST['filter'] != '') {
|
| 40 |
- $filter = filter_input_general($_REQUEST['filter']); |
|
| 40 |
+ $filter = $_REQUEST['filter']; |
|
| 41 | 41 |
} |
| 42 | 42 |
$vhosts = list_vhosts($filter); |
| 43 | 43 |
|
| ... | ... |
@@ -51,7 +51,7 @@ foreach ($vhosts as $vh) {
|
| 51 | 51 |
} |
| 52 | 52 |
// Filter-Funktion |
| 53 | 53 |
if (count($vhosts) > 10 || $filter) {
|
| 54 |
- $form = '<p><label for="filter">Filter für die Anzeige:</label> <input type="text" name="filter" id="filter" value="'.$filter.'"><button type="button" id="clear" title="Filter leeren">×</button><input type="submit" value="Filtern!"></p>'; |
|
| 54 |
+ $form = '<p><label for="filter">Filter für die Anzeige:</label> <input type="text" name="filter" id="filter" value="'.filter_output_html($filter).'"><button type="button" id="clear" title="Filter leeren">×</button><input type="submit" value="Filtern!"></p>'; |
|
| 55 | 55 |
output(html_form('vhosts_filter', 'vhosts', '', $form));
|
| 56 | 56 |
} |
| 57 | 57 |
|
| ... | ... |
@@ -27,12 +27,12 @@ if (! in_homedir($directory)) {
|
| 27 | 27 |
} |
| 28 | 28 |
|
| 29 | 29 |
$app = $_GET['app']; |
| 30 |
-verify_input_general($app); |
|
| 30 |
+verify_input_identifier($app); |
|
| 31 | 31 |
|
| 32 | 32 |
|
| 33 | 33 |
$sure = user_is_sure(); |
| 34 | 34 |
if ($sure === null) {
|
| 35 |
- are_you_sure("dir={$directory}&app={$app}", "Möchten Sie ein Update der Anwendung »{$app}« im Verzeichnis »{$directory}« automatisch durchführen lassen?");
|
|
| 35 |
+ are_you_sure("dir={$directory}&app=".filter_output_html($app), "Möchten Sie ein Update der Anwendung »".filter_output_html($app)."« im Verzeichnis »{$directory}« automatisch durchführen lassen?");
|
|
| 36 | 36 |
} elseif ($sure === true) {
|
| 37 | 37 |
request_update($app, $directory, get_url_for_dir($directory)); |
| 38 | 38 |
if (! $debugmode) {
|
| ... | ... |
@@ -42,7 +42,7 @@ output('<h4>Ihr Initialisierungs-Code</h4><p style="font-size: 120%;">'.$secret.
|
| 42 | 42 |
|
| 43 | 43 |
output('<h3>Testen Sie es...</h3><p>Nachdem Sie den Startwert in Ihren TOTP-Generator eingegeben haben bzw. den QRCode eingescannt haben, erhalten Sie umgehend einen Zugangscode. Geben Sie diesen hier ein um die Funktion zu testen:</p>');
|
| 44 | 44 |
|
| 45 |
-$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_input_general($username).'" /></p> |
|
| 45 |
+$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_output_html($username).'" /></p> |
|
| 46 | 46 |
<p>Ihr neues Webmail-Passwort: <input type="password" name="webmailpass" /></p> |
| 47 | 47 |
<p>Der aktuellste Einmal-Code: <input type="text" name="totp_code" /></p> |
| 48 | 48 |
<p><input type="submit" value="Prüfen!" /></p>'; |
| ... | ... |
@@ -26,10 +26,10 @@ title("Zwei-Faktor-Anmeldung am Webmailer");
|
| 26 | 26 |
output('<p><strong>Hinweise:</strong></p><ul><li>Nach Einrichtung der Zwei-Faktor-Anmeldung funktioniert bei der Anmeldung über <a href="'.config('webmail_url').'">die zentrale Webmail-Login-Seite</a> nur noch dieses Passwort zusammen mit dem Einmal-Code, der mit dem TOTP-Generator erzeugt wird.</li>
|
| 27 | 27 |
<li>Ihr bestehendes IMAP-Passwort wird mit dem neuen Passwort verschlüsselt.</li><li>Über IMAP bzw. POP3 kann weiterhin nur mit dem bisherigen Passwort zugegriffen werden.</li><li>Wenn Sie ihr IMAP-Passwort ändern, wird diese Zwei-Faktor-Anmeldung automatisch abgeschaltet.</li></ul>'); |
| 28 | 28 |
|
| 29 |
-$form = '<p>Geben Sie zunächst bitte das bestehende Passwort des Postfachs <strong>'.filter_input_general($username).'</strong> ein:</p> |
|
| 29 |
+$form = '<p>Geben Sie zunächst bitte das bestehende Passwort des Postfachs <strong>'.filter_output_html($username).'</strong> ein:</p> |
|
| 30 | 30 |
<p>Postfach-Passwort: <input type="password" name="oldpw" /></p>'; |
| 31 | 31 |
|
| 32 |
-$form .= '<p>Geben sie hier bitte das neue Passwort ein, mit dem sich der Benutzer <strong>'.filter_input_general($username).'</strong> zukünftig anmelden muss.</p> |
|
| 32 |
+$form .= '<p>Geben sie hier bitte das neue Passwort ein, mit dem sich der Benutzer <strong>'.filter_output_html($username).'</strong> zukünftig anmelden muss.</p> |
|
| 33 | 33 |
<p>Neues Webmail-Passwort: <input type="password" name="newpw" /></p>'; |
| 34 | 34 |
|
| 35 | 35 |
$form .= '<p><input type="submit" value="Einrichten" /></p>'; |
| ... | ... |
@@ -62,7 +62,7 @@ if (isset($_REQUEST['username'])) {
|
| 62 | 62 |
output('<p>Geben Sie hier die Login-Daten ein um Ihren Zugang zu testen.</p>');
|
| 63 | 63 |
} |
| 64 | 64 |
|
| 65 |
-$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_input_general($username).'" /></p> |
|
| 65 |
+$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_output_html($username).'" /></p> |
|
| 66 | 66 |
<p>Ihr neues Webmail-Passwort: <input type="password" name="webmailpass" /></p> |
| 67 | 67 |
<p>Der aktuellste Einmal-Code: <input type="text" name="totp_code" /></p> |
| 68 | 68 |
<p><input type="submit" value="Prüfen!" /></p>'; |
| 69 | 69 |