From ba7ec8e256095281099af35fb79b832051c612e6 Mon Sep 17 00:00:00 2001
From: cash <cash.costello@gmail.com>
Date: Sat, 2 Jul 2011 09:39:08 -0400
Subject: added note about preventing reflected XSS vulnerabilities.

---
 engine/lib/input.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'engine')

diff --git a/engine/lib/input.php b/engine/lib/input.php
index 84752bc7d..56ec214dc 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
 /**
  * Get some input from variables passed on the GET or POST line.
  *
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
  * Note: this function does not handle nested arrays (ex: form input of param[m][n])
  * because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
  *
  * @param string $variable      The variable we want to return.
  * @param mixed  $default       A default value for the variable if it is not found.
-- 
cgit v1.2.3