diff options
| author | Cash Costello <cash.costello@gmail.com> | 2011-07-04 09:15:11 -0700 | 
|---|---|---|
| committer | Cash Costello <cash.costello@gmail.com> | 2011-07-04 09:15:11 -0700 | 
| commit | 440c94c74f929344c5b755e2607c8426d4de08b3 (patch) | |
| tree | aa042845b8e241fdba5b9bd8ebeab66631437b4a /engine/lib/input.php | |
| parent | de111da23258cd2b513c8f4ab84712ee50272b23 (diff) | |
| parent | 3beedd84a7dbcf7a17a75248473302320653d231 (diff) | |
| download | elgg-440c94c74f929344c5b755e2607c8426d4de08b3.tar.gz elgg-440c94c74f929344c5b755e2607c8426d4de08b3.tar.bz2 | |
Merge pull request #53 from cash/reflected_xss_fixes
Fixes #3544 Reflected xss fixes
Diffstat (limited to 'engine/lib/input.php')
| -rw-r--r-- | engine/lib/input.php | 5 | 
1 files changed, 5 insertions, 0 deletions
| diff --git a/engine/lib/input.php b/engine/lib/input.php index 84752bc7d..56ec214dc 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -10,8 +10,13 @@  /**   * Get some input from variables passed on the GET or POST line.   * + * If using any data obtained from get_input() in a web page, please be aware that + * it is a possible vector for a reflected XSS attack. If you are expecting an + * integer, cast it to an int. If it is a string, escape quotes. + *   * Note: this function does not handle nested arrays (ex: form input of param[m][n])   * because of the filtering done in htmlawed from the filter_tags call. + * @todo Is this ^ still?   *   * @param string $variable      The variable we want to return.   * @param mixed  $default       A default value for the variable if it is not found. | 
