diff options
| author | Cash Costello <cash.costello@gmail.com> | 2011-07-04 09:15:11 -0700 |
|---|---|---|
| committer | Cash Costello <cash.costello@gmail.com> | 2011-07-04 09:15:11 -0700 |
| commit | 440c94c74f929344c5b755e2607c8426d4de08b3 (patch) | |
| tree | aa042845b8e241fdba5b9bd8ebeab66631437b4a /mod/embed | |
| parent | de111da23258cd2b513c8f4ab84712ee50272b23 (diff) | |
| parent | 3beedd84a7dbcf7a17a75248473302320653d231 (diff) | |
| download | elgg-440c94c74f929344c5b755e2607c8426d4de08b3.tar.gz elgg-440c94c74f929344c5b755e2607c8426d4de08b3.tar.bz2 | |
Merge pull request #53 from cash/reflected_xss_fixes
Fixes #3544 Reflected xss fixes
Diffstat (limited to 'mod/embed')
| -rw-r--r-- | mod/embed/start.php | 6 | ||||
| -rw-r--r-- | mod/embed/views/default/embed/embed.php | 6 | ||||
| -rw-r--r-- | mod/embed/views/default/embed/upload/content.php | 1 |
3 files changed, 8 insertions, 5 deletions
diff --git a/mod/embed/start.php b/mod/embed/start.php index f6f1acc57..bdd832b4e 100644 --- a/mod/embed/start.php +++ b/mod/embed/start.php @@ -81,8 +81,10 @@ function embed_page_handler($page) { elgg_sort_3d_array_by_value($sections, 'name'); elgg_sort_3d_array_by_value($upload_sections, 'name'); - $active_section = get_input('active_section', NULL); - $internal_id = get_input('internal_id', NULL); + $active_section = get_input('active_section', ''); + $active_section = preg_replace('[\W]', '', $active_section); + $internal_id = get_input('internal_id', ''); + $internal_id = preg_replace('[\W]', '', $internal_id); echo elgg_view('embed/embed', array( 'sections' => $sections, diff --git a/mod/embed/views/default/embed/embed.php b/mod/embed/views/default/embed/embed.php index 77ce03699..2d8de1ca4 100644 --- a/mod/embed/views/default/embed/embed.php +++ b/mod/embed/views/default/embed/embed.php @@ -10,7 +10,7 @@ */ $sections = elgg_extract('sections', $vars, array()); -$active_section = elgg_extract('active_section', $vars, array_shift(array_keys($sections))); +$active_section = elgg_extract('active_section', $vars, array_shift(array_keys($sections)), false); $upload_sections = elgg_extract('upload_sections', $vars, array()); $internal_id = elgg_extract('internal_id', $vars); @@ -20,8 +20,8 @@ if (!$sections) { $content = elgg_view_title(elgg_echo('embed:media')); $content .= elgg_view('embed/tabs', $vars); - $offset = max(0, get_input('offset', 0)); - $limit = get_input('limit', 5); + $offset = (int)max(0, get_input('offset', 0)); + $limit = (int)get_input('limit', 5); // build the items and layout. if ($active_section == 'upload' || array_key_exists($active_section, $sections)) { diff --git a/mod/embed/views/default/embed/upload/content.php b/mod/embed/views/default/embed/upload/content.php index 24fce8112..8bedf5ad1 100644 --- a/mod/embed/views/default/embed/upload/content.php +++ b/mod/embed/views/default/embed/upload/content.php @@ -4,6 +4,7 @@ */ $upload_sections = elgg_extract('upload_sections', $vars, array()); $active_section = get_input('active_upload_section', array_shift(array_keys($upload_sections))); +$active_section = preg_replace('[\W]', '', $active_section); $options = array(); |