From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Fri, 29 Oct 2010 16:16:36 +0000 (+0000)
Subject: Fixed input cleanup for arrays.
X-Git-Tag: v2.4.2~19^2~529
X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=commitdiff_plain;h=d68fea6aa24f90b617f3159be54033a41062bf2b;p=fa-stable.git

Fixed input cleanup for arrays.
---

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f1a56419..9fe73074 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,12 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+29-Oct-2010 Janusz Dobrowolski
+# Fixed reference display in credit note edition.
+$ /sales/includes/ui/sales_credit_ui.inc
+# Fixed cleanup for input arrays 
+$ /includes/session.inc
+
 28-Oct-2010 Janusz Dobrowolski
 ! All mysql specific functions moved to connect_db.inc
 $ /admin/inst_theme.php
diff --git a/includes/session.inc b/includes/session.inc
index bab3bc9b..d747888a 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -131,6 +131,17 @@ function strip_quotes($data)
 	return $data;
 }
 
+function html_cleanup(&$parms)
+{
+	foreach($parms as $name => $value) {
+//		$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
+		if (is_array($value))
+			html_cleanup($parms[$name]);
+		else
+			$parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
+	}
+}
+
 //============================================================================
 //
 //
@@ -278,18 +289,8 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 
 // POST vars cleanup needed for direct reuse.
 // We quote all values later with db_escape() before db update.
-	$_POST = strip_quotes($_POST);
-
-// GET cleanup against XSS. (NB in FA those are mainly numeric transaction numbers)
-	foreach($_GET as $name => $value) {
-//		$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
-		$_GET[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
-
-	}
-	foreach($_POST as $name => $value) {
-//		$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
-		$_POST[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
-
-	}
+$_POST = strip_quotes($_POST);
 
+html_cleanup($_GET);
+html_cleanup($_POST);
 ?>
\ No newline at end of file