Changeset 185 for trunk/lib

Timestamp:

Jun 24, 2006 11:02:54 PM (18 years ago)

Author:

scdev

Message:

Q - added oTxt() around all printed PHP_SELFs to avoid XSS attack. See: ​http://blog.phpdoc.info/archives/13-XSS-Woes.html

Location:

trunk/lib

Files:

• Lock.inc.php (modified) (1 diff)
• Navigation.inc.php (modified) (2 diffs)
• PEdit.inc.php (modified) (1 diff)

trunk/lib/Lock.inc.php

@@ -365 +365 @@
 
         ?>
-        <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+        <form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
         <?php $app->printHiddenSession() ?>
         <input type="hidden" name="lock_id" value="<?php echo $this->getID(); ?>" />

trunk/lib/Navigation.inc.php

@@ -18 +18 @@
     // Configuration parameters for this object.
     var $_params = array(        
-        'html_title' = true,
-        'body_title' = true,
+        'head_title' => true,
+        'body_title' => true,
         'title' => true,
         'path' => true,
@@ -58 +58 @@
         $page = array(
             'title' => $title,
-            'url' => is_null($url) ? $_SERVER['PHP_SELF'] : $url;
+            'url' => is_null($url) ? $_SERVER['PHP_SELF'] : $url,
         );
         $this->pages[] = array_merge($page, $vars);

trunk/lib/PEdit.inc.php

@@ -228 +228 @@
         }
         ?>        
-        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="sc-pedit-form">
-        <input type="hidden" name="filename" value="<?php echo $_SERVER['PHP_SELF']; ?>" />
+        <form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post" id="sc-pedit-form">
+        <input type="hidden" name="filename" value="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" />
         <input type="hidden" name="file_hash" value="<?php echo $this->_fileHash(); ?>" />
         <?php