mirror of
https://github.com/FH-Complete/FHC-Core.git
synced 2026-06-01 12:19:28 +00:00
Fixed XSS issues
This commit is contained in:
bison-paolo
+4
-2
@@ -103,12 +103,14 @@ ob_start();
|
||||
|
||||
if(isset($_GET['content_id']) && $_GET['content_id'] != '')
|
||||
{
|
||||
$content_id = $_GET['content_id'];
|
||||
// Uses urlencode to avoid XSS issues
|
||||
$content_id = urlencode($_GET['content_id']);
|
||||
}
|
||||
else
|
||||
{
|
||||
$content_id = CIS_MENU_ENTRY_CONTENT;
|
||||
} ?>
|
||||
}
|
||||
?>
|
||||
|
||||
<ul id="menu">
|
||||
<?php if($content_id != CIS_MENU_ENTRY_CONTENT): ?>
|
||||
|
||||
@@ -64,7 +64,8 @@ $lv_obj->load($lvid);
|
||||
$lv=$lv_obj;
|
||||
|
||||
if(isset($_GET['studiensemester_kurzbz']))
|
||||
$studiensemester_kurzbz=$_GET['studiensemester_kurzbz'];
|
||||
// Uses urlencode to avoid XSS issues
|
||||
$studiensemester_kurzbz = urlencode($_GET['studiensemester_kurzbz']);
|
||||
else
|
||||
$studiensemester_kurzbz='';
|
||||
|
||||
|
||||
@@ -55,10 +55,11 @@ if (isset($_GET['datum']))
|
||||
if (isset($_POST['datum']))
|
||||
$datum=$_POST['datum'];
|
||||
|
||||
// Uses urlencode to avoid XSS issues
|
||||
if (isset($_GET['ort_kurzbz']))
|
||||
$ort_kurzbz=$_GET['ort_kurzbz'];
|
||||
$ort_kurzbz = urlencode($_GET['ort_kurzbz']);
|
||||
else if (isset($_POST['ort_kurzbz']))
|
||||
$ort_kurzbz=$_POST['ort_kurzbz'];
|
||||
$ort_kurzbz = urlencode($_POST['ort_kurzbz']);
|
||||
else
|
||||
$ort_kurzbz=null;
|
||||
|
||||
|
||||
@@ -61,7 +61,10 @@ echo '<h1>',$p->t('tools/suche'),'</h1>';
|
||||
|
||||
$search = (isset($_REQUEST['search'])?$_REQUEST['search']:'');
|
||||
|
||||
echo '<form action="',$_SERVER['PHP_SELF'],'" name="searchform" method="GET">
|
||||
// Uses htmlspecialchars to avoid XSS issues
|
||||
$self = htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8");
|
||||
|
||||
echo '<form action="',$self,'" name="searchform" method="GET">
|
||||
<input type="search" placeholder="'.$p->t('tools/suchbegriff').' ..." size="40" name="search" value="',$db->convert_html_chars($search),'" />
|
||||
<img src="../../../skin/images/search.png" onclick="document.searchform.submit()" height="15px" class="suchicon"/>
|
||||
</form><br>';
|
||||
|
||||
@@ -86,7 +86,8 @@ $activities_str = "'".implode("','", $activities)."'";
|
||||
$gesperrt_bis = '2015-08-31';
|
||||
$sperrdatum = date('c', strtotime($gesperrt_bis));
|
||||
|
||||
$zeitaufzeichnung_id = (isset($_GET['zeitaufzeichnung_id'])?$_GET['zeitaufzeichnung_id']:'');
|
||||
// Uses urlencode to avoid XSS issues
|
||||
$zeitaufzeichnung_id = urlencode(isset($_GET['zeitaufzeichnung_id'])?$_GET['zeitaufzeichnung_id']:'');
|
||||
$projekt_kurzbz = (isset($_POST['projekt'])?$_POST['projekt']:'');
|
||||
$oe_kurzbz_1 = (isset($_POST['oe_kurzbz_1'])?$_POST['oe_kurzbz_1']:'');
|
||||
$oe_kurzbz_2 = (isset($_POST['oe_kurzbz_2'])?$_POST['oe_kurzbz_2']:'');
|
||||
|
||||
@@ -784,11 +784,12 @@ function getSprache()
|
||||
{
|
||||
if(isset($_COOKIE['sprache']))
|
||||
{
|
||||
$sprache=$_COOKIE['sprache'];
|
||||
// Uses urlencode to avoid XSS issues
|
||||
$sprache = urlencode($_COOKIE['sprache']);
|
||||
}
|
||||
else
|
||||
{
|
||||
$sprache=DEFAULT_LANGUAGE;
|
||||
$sprache = DEFAULT_LANGUAGE;
|
||||
}
|
||||
setSprache($sprache);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user