[Helpmeict-cvs] Helpdesk issue.php,1.38,1.39

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv26477

Modified Files:
	issue.php 
Log Message:

Fix santizing input in the issue entry to prevent XSS.
Fixes bug# 1715697

Index: issue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/issue.php,v
retrieving revision 1.38
retrieving revision 1.39
diff -C2 -d -r1.38 -r1.39
*** issue.php	7 Sep 2007 04:28:29 -0000	1.38
--- issue.php	7 Sep 2007 08:03:38 -0000	1.39
***************
*** 8,11 ****
--- 8,12 ----

        Changelog:
+         2007-09-07 whtghst1: Fixed input sanitize to fix XSS.
          2007-09-06 whtghst1: Fixed issue with Prooblem Detail changing when publishing to KB.
          2007-09-06 whtghst1: Added magic_gpc_quotes detection and fixed all undefined constants errors
***************
*** 66,70 ****
--- 67,83 ----
    set_text_domain("issue");

+   //Clean oall POST values
+   foreach($_POST as $key => $val) {
+     // scubbing the field NAME...
+     if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
+     if ($key != "selectremark") {
+       $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
+     }
+   }
+ 
+   echo $_POST['selectmark'];
+ 
    // Retrieve Get/Post variables
+   
    $act = $_REQUEST['act'];
    $level = $_POST['level'];