Changeset 185 for branches/1.1dev/bin


Ignore:
Timestamp:
Jun 24, 2006 11:02:54 PM (18 years ago)
Author:
scdev
Message:

Q - added oTxt() around all printed PHP_SELFs to avoid XSS attack. See: http://blog.phpdoc.info/archives/13-XSS-Woes.html

Location:
branches/1.1dev/bin/module_maker
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/1.1dev/bin/module_maker/list_template.cli.php

    r109 r185  
    104104
    105105<\x3fphp include 'form_error_header.ihtml'; \x3f>
    106 <form action="<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>" method="post">
     106<form action="<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>" method="post">
    107107<\x3fphp printHiddenSession(false); \x3f>
    108108

  • branches/1.1dev/bin/module_maker/module.cli.php

    r124 r185  
    248248$search['admin_form_tag_init'] = '/%ADMIN_FORM_TAG_INIT%/';
    249249if ($multipart_form_required) {
    250     $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"12000000\">";
    251 } else {
    252     $replace['admin_form_tag_init'] = "<form method=\"post\" action=\"<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>\">";
     250    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"12000000\">";
     251} else {
     252    $replace['admin_form_tag_init'] = "<form method=\"post\" action=\"<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>\">";
    253253}
    254254

  • branches/1.1dev/bin/module_maker/skel/adm_list.ihtml

    r109 r185  
    33
    44<div id="commandbox">
    5     <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
     5    <form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="get">
    66        <?php printHiddenSession(false); ?>
    77        <span class="nowrap commandtext"><a href="<?php echo ohref($_SERVER['PHP_SELF'] . '?op=add'); ?>"><?php echo _("Add %ITEM_TITLE%"); ?></a></span>
     
    1818<?php include 'adm_list_info.ihtml'; ?>
    1919
    20 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
     20<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
    2121    <?php printHiddenSession(false); ?>
    2222    <table class="list">
Note: See TracChangeset for help on using the changeset viewer.