diff options
| author | cash <cash.costello@gmail.com> | 2011-07-02 09:39:08 -0400 |
|---|---|---|
| committer | cash <cash.costello@gmail.com> | 2011-07-02 09:39:08 -0400 |
| commit | ba7ec8e256095281099af35fb79b832051c612e6 (patch) | |
| tree | 975f0fef215ca17780ec2daf6c7bb4ced2b570c6 /engine | |
| parent | f5f3f205e97c2a3219897dd14de7d57659ce1181 (diff) | |
| download | elgg-ba7ec8e256095281099af35fb79b832051c612e6.tar.gz elgg-ba7ec8e256095281099af35fb79b832051c612e6.tar.bz2 | |
added note about preventing reflected XSS vulnerabilities.
Diffstat (limited to 'engine')
| -rw-r--r-- | engine/lib/input.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php index 84752bc7d..56ec214dc 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -10,8 +10,13 @@ /** * Get some input from variables passed on the GET or POST line. * + * If using any data obtained from get_input() in a web page, please be aware that + * it is a possible vector for a reflected XSS attack. If you are expecting an + * integer, cast it to an int. If it is a string, escape quotes. + * * Note: this function does not handle nested arrays (ex: form input of param[m][n]) * because of the filtering done in htmlawed from the filter_tags call. + * @todo Is this ^ still? * * @param string $variable The variable we want to return. * @param mixed $default A default value for the variable if it is not found. |