Menu
▾
▴
[Web-erp-svn] SF.net SVN: web-erp:[7902] trunk
|
From: <dai...@us...> - 2018-01-06 10:18:45
|
Revision: 7902
http://sourceforge.net/p/web-erp/reponame/7902
Author: daintree
Date: 2018-01-06 10:18:42 +0000 (Sat, 06 Jan 2018)
Log Message:
-----------
Changed to strip_tags rather than replace script> in _POST and _GET variables per Tims idea
Modified Paths:
--------------
trunk/doc/Change.log
trunk/includes/session.php
Modified: trunk/doc/Change.log
===================================================================
--- trunk/doc/Change.log 2018-01-06 00:20:56 UTC (rev 7901)
+++ trunk/doc/Change.log 2018-01-06 10:18:42 UTC (rev 7902)
@@ -1,6 +1,6 @@
webERP Change Log
-6/1/18 Phil: Attempt to avoid XSS attacks by logged in users by parsing out "script>" from all $_POST and $_GET variables.
+6/1/18 Phil: Attempt to avoid XSS attacks by logged in users by parsing out "script>" from all $_POST and $_GET variables - subsequentely changed to strip_tags from all $_POST and $_GETs per Tim's recommendation
3/1/18: PaulT: SelectSalesOrder.php: Fix search to retain quote option and set StockLocation to the UserStockLocation to auto-load current Sales Orders.
2/1/18: PaulT: SelectSalesOrder.php: Move handling for URL Quotations parameter to top of file to avoid potential page error(s). (Reported in forums by Paul Becker) Handling move reduces code within some conditional checks. This change also includes minor whitespace improvements and removes an unused global reference.
2/1/18: PaulT: css/default/default.css: Add text alignment in a couple of styles to match the same use in other CSS to avoid formatting issues when the default theme is used. Also, set several property names to lowercase.
Modified: trunk/includes/session.php
===================================================================
--- trunk/includes/session.php 2018-01-06 00:20:56 UTC (rev 7901)
+++ trunk/includes/session.php 2018-01-06 10:18:42 UTC (rev 7902)
@@ -56,13 +56,13 @@
$_POST['name'] = stripslashes($_POST['name']);
}
- $_POST[$PostVariableName] = DB_escape_string(str_replace('script>','',$PostVariableValue));
+ $_POST[$PostVariableName] = DB_escape_string(strip_tags($PostVariableValue));
} else {
foreach ($PostVariableValue as $PostArrayKey => $PostArrayValue) {
if(get_magic_quotes_gpc()) {
$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
}
- $PostVariableValue[$PostArrayKey] = DB_escape_string(str_replace('script>','',$PostArrayValue));
+ $PostVariableValue[$PostArrayKey] = DB_escape_string(strip_tags($PostArrayValue));
}
}
}
@@ -72,7 +72,7 @@
*/
foreach ($_GET as $GetKey => $GetValue) {
if (gettype($GetValue) != 'array') {
- $_GET[$GetKey] = DB_escape_string(str_replace('script>','',$GetValue));
+ $_GET[$GetKey] = DB_escape_string(strip_tags($GetValue));
}
}
} else { //set SESSION['FormID'] before the a user has even logged in
|
