Changeset 185 for branches/1.1dev/templates

Timestamp:

Jun 24, 2006 11:02:54 PM (18 years ago)

Author:

scdev

Message:

Q - added oTxt() around all printed PHP_SELFs to avoid XSS attack. See: ​http://blog.phpdoc.info/archives/13-XSS-Woes.html

Location:

branches/1.1dev/templates

Files:

• adm_admin_form.ihtml (modified) (1 diff)
• adm_admin_list.ihtml (modified) (1 diff)
• adm_log_list.ihtml (modified) (1 diff)
• adm_login_form.ihtml (modified) (1 diff)
• adm_record_lock.ihtml (modified) (1 diff)
• adm_record_version_list.ihtml (modified) (1 diff)
• login_form.ihtml (modified) (1 diff)
• passwd.ihtml (modified) (1 diff)

branches/1.1dev/templates/adm_admin_form.ihtml

@@ -1 +1 @@
 <?php include 'form_error_header.ihtml'; ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession(); ?>
 <input type="hidden" name="op" value="<?php echo $frm['new_op']; ?>">

branches/1.1dev/templates/adm_admin_list.ihtml

@@ -1 +1 @@
 
 <?php include 'form_error_header.ihtml'; ?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php $carry_queries = array('search_query', 'filter_admin_priv'); ?>
 <?php printHiddenSession(false); ?>

branches/1.1dev/templates/adm_log_list.ihtml

@@ -1 +1 @@
 
 <?php include 'form_error_header.ihtml'; ?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php printHiddenSession(false); ?>
 

branches/1.1dev/templates/adm_login_form.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <table border="0" cellspacing="0" cellpadding="4">

branches/1.1dev/templates/adm_record_lock.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <input type="hidden" name="lock_id" value="<?php echo $lock->getID(); ?>" />

branches/1.1dev/templates/adm_record_version_list.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <input type="submit" class="formsubmitbutton" name="op" value="<?php echo _("Cancel"); ?>">

branches/1.1dev/templates/login_form.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <table border="0" cellspacing="0" cellpadding="4">

branches/1.1dev/templates/passwd.ihtml

@@ -1 +1 @@
 <?php include 'form_error_header.ihtml'; ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <input type="hidden" name="op" value="update_password">