diff options
author | Cash Costello <cash.costello@gmail.com> | 2011-07-04 09:15:11 -0700 |
---|---|---|
committer | Cash Costello <cash.costello@gmail.com> | 2011-07-04 09:15:11 -0700 |
commit | 440c94c74f929344c5b755e2607c8426d4de08b3 (patch) | |
tree | aa042845b8e241fdba5b9bd8ebeab66631437b4a /engine | |
parent | de111da23258cd2b513c8f4ab84712ee50272b23 (diff) | |
parent | 3beedd84a7dbcf7a17a75248473302320653d231 (diff) | |
download | elgg-440c94c74f929344c5b755e2607c8426d4de08b3.tar.gz elgg-440c94c74f929344c5b755e2607c8426d4de08b3.tar.bz2 |
Merge pull request #53 from cash/reflected_xss_fixes
Fixes #3544 Reflected xss fixes
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/input.php | 5 | ||||
-rw-r--r-- | engine/lib/river.php | 3 |
2 files changed, 8 insertions, 0 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php index 84752bc7d..56ec214dc 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -10,8 +10,13 @@ /** * Get some input from variables passed on the GET or POST line. * + * If using any data obtained from get_input() in a web page, please be aware that + * it is a possible vector for a reflected XSS attack. If you are expecting an + * integer, cast it to an int. If it is a string, escape quotes. + * * Note: this function does not handle nested arrays (ex: form input of param[m][n]) * because of the filtering done in htmlawed from the filter_tags call. + * @todo Is this ^ still? * * @param string $variable The variable we want to return. * @param mixed $default A default value for the variable if it is not found. diff --git a/engine/lib/river.php b/engine/lib/river.php index 36dde7f05..1a2be1e50 100644 --- a/engine/lib/river.php +++ b/engine/lib/river.php @@ -589,10 +589,13 @@ function elgg_river_page_handler($page) { elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); + // make a URL segment available in page handler script $page_type = elgg_extract(0, $page, 'all'); + $page_type = preg_replace('[\W]', '', $page_type); if ($page_type == 'owner') { $page_type = 'mine'; } + set_input('page_type', $page_type); // content filter code here $entity_type = ''; |