Merge pull request #84 from nayo/patch-2
Fix error and set by default to preventXSS. Closes #84 and #85
This commit is contained in:
commit
722fefad1c
@ -651,7 +651,7 @@ function error($msg,$type='note',$redirect=null,$fatal=false,$backtrace=false) {
|
|||||||
*
|
*
|
||||||
* @return The form GET/REQUEST/SESSION/POST variable value or its default
|
* @return The form GET/REQUEST/SESSION/POST variable value or its default
|
||||||
*/
|
*/
|
||||||
function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=false) {
|
function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=true) {
|
||||||
switch($type) {
|
switch($type) {
|
||||||
case 'GET':
|
case 'GET':
|
||||||
$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default;
|
$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default;
|
||||||
@ -675,7 +675,7 @@ function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=fal
|
|||||||
system_message(array(
|
system_message(array(
|
||||||
'title'=>_('Generic Error'),
|
'title'=>_('Generic Error'),
|
||||||
'body'=>sprintf('%s: Called "%s" without "%s" using "%s"',
|
'body'=>sprintf('%s: Called "%s" without "%s" using "%s"',
|
||||||
basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST',false,null,true),preventXSS($attr),preventXSS($type)),
|
basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),preventXSS($attr),preventXSS($type)),
|
||||||
'type'=>'error'),
|
'type'=>'error'),
|
||||||
'index.php');
|
'index.php');
|
||||||
if($preventXSS && !is_null($value))
|
if($preventXSS && !is_null($value))
|
||||||
@ -686,10 +686,20 @@ function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=fal
|
|||||||
* Prevent XSS function. This function can usage has preventXSS(get_request('cmd','REQUEST'))
|
* Prevent XSS function. This function can usage has preventXSS(get_request('cmd','REQUEST'))
|
||||||
* Return valor escape XSS.
|
* Return valor escape XSS.
|
||||||
*/
|
*/
|
||||||
function preventXSS($value){
|
function preventXSS($data){
|
||||||
return htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8');
|
if (gettype($data) == 'array') {
|
||||||
|
foreach ($data as $key => $value) {
|
||||||
|
if (gettype($value) == 'array')
|
||||||
|
$data[$key] = preventXSS($value);
|
||||||
|
else
|
||||||
|
$data[$key] = htmlspecialchars($value);
|
||||||
|
}
|
||||||
|
return $data;
|
||||||
|
}
|
||||||
|
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
* Record a system message.
|
* Record a system message.
|
||||||
* This function can be used as an alternative to generate a system message, if page hasnt yet been defined.
|
* This function can be used as an alternative to generate a system message, if page hasnt yet been defined.
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user