Additional request input cleanup.

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 833c406a6c6262232fc10165b231fd3d7a495aec..7424b70cad401a87ca6b76f643854d3e0c1e528d 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,10 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+03-Nov-2010 Janusz Dobrowolski
+# More corrections in cleanup for input
+$ /includes/session.inc
+
 02-Nov-2010 Joe Hunt
 # Report Customer Details didn't show up correctly in Excel
 $ /reporting/rep103.php

diff --git a/includes/session.inc b/includes/session.inc
index d747888ac84ee242f2208766508359e3593ef508..9a93a5311fa57cdfc9194d446f61a38c6ef5ea7d 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -238,6 +238,10 @@ set_error_handler('error_handler' /*, errtypes */);
 if (!isset($_SESSION["wa_current_user"]))
        $_SESSION["wa_current_user"] = new current_user();
 
+html_cleanup($_GET);
+html_cleanup($_POST);
+html_cleanup($_REQUEST);
+
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
 if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
@@ -251,7 +255,7 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
                {
                        // strip ajax marker from uri, to force synchronous page reload
                        $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
-                                       '', @$_SERVER['REQUEST_URI']), 
+                                       '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), 
                                'post' => $_POST);
 
                        include($path_to_root . "/access/login.php");
@@ -291,6 +295,4 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 // We quote all values later with db_escape() before db update.
 $_POST = strip_quotes($_POST);
 
-html_cleanup($_GET);
-html_cleanup($_POST);
 ?>
\ No newline at end of file