aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcash <cash.costello@gmail.com>2011-07-02 09:39:08 -0400
committercash <cash.costello@gmail.com>2011-07-02 09:39:08 -0400
commitba7ec8e256095281099af35fb79b832051c612e6 (patch)
tree975f0fef215ca17780ec2daf6c7bb4ced2b570c6
parentf5f3f205e97c2a3219897dd14de7d57659ce1181 (diff)
downloadelgg-ba7ec8e256095281099af35fb79b832051c612e6.tar.gz
elgg-ba7ec8e256095281099af35fb79b832051c612e6.tar.bz2
added note about preventing reflected XSS vulnerabilities.
-rw-r--r--engine/lib/input.php5
1 files changed, 5 insertions, 0 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 84752bc7d..56ec214dc 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
/**
* Get some input from variables passed on the GET or POST line.
*
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
* Note: this function does not handle nested arrays (ex: form input of param[m][n])
* because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
*
* @param string $variable The variable we want to return.
* @param mixed $default A default value for the variable if it is not found.