Changeset 159


Ignore:
Timestamp:
08/17/05 13:34:33 (5 years ago)
Author:
anti
Message:

+ use htmlspecialchars() on the messages returned by some functions, before displaying them to the user,

because those messages might contain user input (results of add_collection/update_collection do in some cases)
and this could be used for XSS attacks

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/admin/plog-manage.php

    r156 r159  
    430430        } 
    431431 
     432        // pass the results through htmlspecialchars, because they might contain user input 
    432433        if (!empty($action_result['errors'])) { 
    433                 $output .= '<p class="errors">' . $action_result['errors'] . '</p>'; 
     434                $output .= '<p class="errors">' . htmlspecialchars($action_result['errors']) . '</p>'; 
    434435        } elseif (!empty($action_result['output'])) { 
    435                 $output .= '<p class="actions">' . $action_result['output'] . '</p>'; 
     436                $output .= '<p class="actions">' . htmlspecialchars($action_result['output']) . '</p>'; 
    436437        }; 
    437438} 
Note: See TracChangeset for help on using the changeset viewer.