Prevent XSS attack since function get_request

The $preventXSS parameter was added to the get_request function to avoid XSS attacks.
It was not set by default as $preventXSS=true, because it can affect fields such as passwords.

Using "htmlspecialchars" and "addslashes" functions of PHP.
This commit is contained in:
Genaro Contreras Gutierrez 2019-07-30 08:29:17 -07:00 committed by GitHub
parent 1bd14ddf68
commit 08c21fe7ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -651,7 +651,7 @@ function error($msg,$type='note',$redirect=null,$fatal=false,$backtrace=false) {
*
* @return The form GET/REQUEST/SESSION/POST variable value or its default
*/
function get_request($attr,$type='POST',$die=false,$default=null) {
function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=false) {
switch($type) {
case 'GET':
$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default;
@ -678,7 +678,8 @@ function get_request($attr,$type='POST',$die=false,$default=null) {
basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),$attr,$type),
'type'=>'error'),
'index.php');
if(!is_null($value))
$value = htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8');
return $value;
}