Merge branch 'master' of github.com:brettp/Elgg

author: Brett Profitt <brett.profitt@gmail.com> 2011-08-25 10:00:38 -0700
committer: Brett Profitt <brett.profitt@gmail.com> 2011-08-25 10:00:38 -0700
commit: dccc333c765bb28da55b4a55d9c916acdb88413a (patch)
tree: bdd26a0b4cd85241a19b7fcb2c0770f0ac3eb9f0 /engine/lib/input.php
parent: ec7b94a64aef23b85866ecdac8e8acc712d29bb6 (diff)
parent: 003cb81c7888f4d2fd763e5814027c6f8d71186f (diff)
download: elgg-dccc333c765bb28da55b4a55d9c916acdb88413a.tar.gz
elgg-dccc333c765bb28da55b4a55d9c916acdb88413a.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 84752bc7d..56ec214dc 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
 /**
  * Get some input from variables passed on the GET or POST line.
  *
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
  * Note: this function does not handle nested arrays (ex: form input of param[m][n])
  * because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
  *
  * @param string $variable      The variable we want to return.
  * @param mixed  $default       A default value for the variable if it is not found.
author	Brett Profitt <brett.profitt@gmail.com>	2011-08-25 10:00:38 -0700
committer	Brett Profitt <brett.profitt@gmail.com>	2011-08-25 10:00:38 -0700
commit	dccc333c765bb28da55b4a55d9c916acdb88413a (patch)
tree	bdd26a0b4cd85241a19b7fcb2c0770f0ac3eb9f0 /engine/lib/input.php
parent	ec7b94a64aef23b85866ecdac8e8acc712d29bb6 (diff)
parent	003cb81c7888f4d2fd763e5814027c6f8d71186f (diff)
download	elgg-dccc333c765bb28da55b4a55d9c916acdb88413a.tar.gz elgg-dccc333c765bb28da55b4a55d9c916acdb88413a.tar.bz2