Menu
▾
▴
[Web-erp-svn] SF.net SVN: web-erp:[7901] trunk
|
From: <dai...@us...> - 2018-01-06 00:20:58
|
Revision: 7901
http://sourceforge.net/p/web-erp/reponame/7901
Author: daintree
Date: 2018-01-06 00:20:56 +0000 (Sat, 06 Jan 2018)
Log Message:
-----------
Attempt to avoid XSS problems created by logged in users by parsing out script>
Modified Paths:
--------------
trunk/Factors.php
trunk/doc/Change.log
trunk/includes/session.php
Modified: trunk/Factors.php
===================================================================
--- trunk/Factors.php 2018-01-03 19:35:47 UTC (rev 7900)
+++ trunk/Factors.php 2018-01-06 00:20:56 UTC (rev 7901)
@@ -205,7 +205,7 @@
<table class="selection">
<tr>
<td>' . _('Factor company Name') . ':</td>
- <td><input tabindex="1" type="text" name="FactorName" required="required" size="42" maxlength="40" value="' .$_POST['FactorName'].'" /></td>
+ <td><input tabindex="1" type="text" name="FactorName" required="required" size="42" maxlength="40" value="' . $_POST['FactorName'] . '" /></td>
</tr>
<tr>
<td>' . _('Address Line 1') . ':</td>
Modified: trunk/doc/Change.log
===================================================================
--- trunk/doc/Change.log 2018-01-03 19:35:47 UTC (rev 7900)
+++ trunk/doc/Change.log 2018-01-06 00:20:56 UTC (rev 7901)
@@ -1,5 +1,6 @@
webERP Change Log
+6/1/18 Phil: Attempt to avoid XSS attacks by logged in users by parsing out "script>" from all $_POST and $_GET variables.
3/1/18: PaulT: SelectSalesOrder.php: Fix search to retain quote option and set StockLocation to the UserStockLocation to auto-load current Sales Orders.
2/1/18: PaulT: SelectSalesOrder.php: Move handling for URL Quotations parameter to top of file to avoid potential page error(s). (Reported in forums by Paul Becker) Handling move reduces code within some conditional checks. This change also includes minor whitespace improvements and removes an unused global reference.
2/1/18: PaulT: css/default/default.css: Add text alignment in a couple of styles to match the same use in other CSS to avoid formatting issues when the default theme is used. Also, set several property names to lowercase.
@@ -27,7 +28,7 @@
3/12/17 Phil commited Tim's BankAccountBalances.php script
2/12/17 Exson: Fixed the outstanding quantity is not right in PO_SelectOSPurchOrder.php.
2/12/17 Phil committed Tim Schofield's fix for javascript date picker for US date formats
-2/12/17 Phil/Paul Becker: Purchases report - also deleted id non-exsitent in css committed changes suggested by VortecCPI http://www.weberp.org/forum/showthread.php?tid=7943
+2/12/17 Phil/Paul Becker: Purchases report - also deleted id non-exsitent in css committed changes suggested by VortecCPI http://www.weberp.org/forum/showthread.php?tid=7943
23/11/2017 Andy Couling: Added Petty Cash receipt file upload to directory functionality.
7/11/17 Exson: Remove cost updating for WAC method in BOMs.php.
25/10/17 Exson: Fixed the salesman authority problem in PrintCustTrans.php.
Modified: trunk/includes/session.php
===================================================================
--- trunk/includes/session.php 2018-01-03 19:35:47 UTC (rev 7900)
+++ trunk/includes/session.php 2018-01-06 00:20:56 UTC (rev 7901)
@@ -55,13 +55,14 @@
if(get_magic_quotes_gpc()) {
$_POST['name'] = stripslashes($_POST['name']);
}
- $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
+
+ $_POST[$PostVariableName] = DB_escape_string(str_replace('script>','',$PostVariableValue));
} else {
foreach ($PostVariableValue as $PostArrayKey => $PostArrayValue) {
if(get_magic_quotes_gpc()) {
$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
}
- $PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
+ $PostVariableValue[$PostArrayKey] = DB_escape_string(str_replace('script>','',$PostArrayValue));
}
}
}
@@ -71,7 +72,7 @@
*/
foreach ($_GET as $GetKey => $GetValue) {
if (gettype($GetValue) != 'array') {
- $_GET[$GetKey] = DB_escape_string($GetValue);
+ $_GET[$GetKey] = DB_escape_string(str_replace('script>','',$GetValue));
}
}
} else { //set SESSION['FormID'] before the a user has even logged in
|
