Merge pull request #82 from nayo/patch-1

Function to prevent XSS attacks
This commit is contained in:
Deon George 2019-07-31 07:38:06 +08:00 committed by GitHub
commit cb9c0cce3e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -651,7 +651,7 @@ function error($msg,$type='note',$redirect=null,$fatal=false,$backtrace=false) {
* *
* @return The form GET/REQUEST/SESSION/POST variable value or its default * @return The form GET/REQUEST/SESSION/POST variable value or its default
*/ */
function get_request($attr,$type='POST',$die=false,$default=null) { function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=false) {
switch($type) { switch($type) {
case 'GET': case 'GET':
$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default; $value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default;
@ -675,14 +675,21 @@ function get_request($attr,$type='POST',$die=false,$default=null) {
system_message(array( system_message(array(
'title'=>_('Generic Error'), 'title'=>_('Generic Error'),
'body'=>sprintf('%s: Called "%s" without "%s" using "%s"', 'body'=>sprintf('%s: Called "%s" without "%s" using "%s"',
basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),$attr,$type), basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST',false,null,true),preventXSS($attr),preventXSS($type)),
'type'=>'error'), 'type'=>'error'),
'index.php'); 'index.php');
if($preventXSS && !is_null($value))
$value = preventXSS($value);
return $value; return $value;
} }
/** /**
* Prevent XSS function. This function can usage has preventXSS(get_request('cmd','REQUEST'))
* Return valor escape XSS.
*/
function preventXSS($value){
return htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8');
}
* Record a system message. * Record a system message.
* This function can be used as an alternative to generate a system message, if page hasnt yet been defined. * This function can be used as an alternative to generate a system message, if page hasnt yet been defined.
*/ */