Menu
▾
▴
[PHPiCalendar-Commits] phpicalendar/functions sanitize.php, NONE, 1.1 init.inc.php, 1.106, 1.107
|
From: <ji...@us...> - 2007-05-16 22:20:48
|
Update of /cvsroot/phpicalendar/phpicalendar/functions In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23579 Modified Files: init.inc.php Added Files: sanitize.php Log Message: fix xss vulnerability by adding sanitizer for input vars from post, get, cookie, request --- NEW FILE: sanitize.php --- <?php foreach ($_REQUEST as $key=>$val){ switch ($key){ case 'event_data': # modify this to allow or disallow different HTML tags in event popups $allowed = "<p><br><b><i><em><a><img><div><span><ul><ol><li><h1><h2><h3><h4><h5><h6><hr><em><strong><small><table><tr><td><th>"; $val = strip_tags($val,$allowed) break; default: # cpath $val = strip_tags($val); } $_REQUEST[$key] = $val; } foreach ($_POST as $key=>$val){ switch ($key){ case 'action': $actions = array('login','logout','addupdate','delete'); if (!in_array($val,$actions)) $val = ''; break; case 'date': case 'time': if (!is_int($val)) $val = ''; break; default: $val = strip_tags($val); } $_POST[$key] = $val; } foreach ($_GET as $key=>$val){ switch ($key){ case 'getdate': if (!is_int($val)) $val = ''; break; default: $val = strip_tags($val); } $_GET[$key] = $val; } foreach ($_COOKIE as $key=>$val){ switch ($key){ case 'time': if (!is_int($val)) $val = ''; break; default: $val = strip_tags($val); } $_COOKIE[$key] = $val; } ?> Index: init.inc.php =================================================================== RCS file: /cvsroot/phpicalendar/phpicalendar/functions/init.inc.php,v retrieving revision 1.106 retrieving revision 1.107 diff -C2 -d -r1.106 -r1.107 *** init.inc.php 14 Nov 2006 07:38:14 -0000 1.106 --- init.inc.php 16 May 2007 22:20:47 -0000 1.107 *************** *** 15,18 **** --- 15,19 ---- if (!defined('BASE')) define('BASE', './'); include_once(BASE.'config.inc.php'); + include_once(BASE.'functions/sanitize.php'); $cookie_name = 'phpicalendar_'.basename($default_path); |
