From 414dbbf553da44e272ca131341e0991881ca67e3 Mon Sep 17 00:00:00 2001 From: Janusz Dobrowolski Date: Thu, 21 Oct 2010 10:04:36 +0000 Subject: [PATCH] Added input cleanup --- includes/session.inc | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/includes/session.inc b/includes/session.inc index 97c8e104..bab3bc9b 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -175,6 +175,7 @@ include_once($path_to_root . "/includes/prefs/sysprefs.inc"); ini_set('session.gc_maxlifetime', 36000); // 10hrs session_name('FA'.md5(dirname(__FILE__))); +//include_once($path_to_root.'/modules/www_statistics/includes/db_sessions.inc'); session_start(); // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks @@ -279,4 +280,16 @@ $SysPrefs = &$_SESSION['SysPrefs']; // We quote all values later with db_escape() before db update. $_POST = strip_quotes($_POST); +// GET cleanup against XSS. (NB in FA those are mainly numeric transaction numbers) + foreach($_GET as $name => $value) { +// $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); + $_GET[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding); + + } + foreach($_POST as $name => $value) { +// $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); + $_POST[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding); + + } + ?> \ No newline at end of file -- 2.30.2