'[websites/quality-kde-org] website/api.kde.org: Protect against XSS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    [websites/quality-kde-org] website/api.kde.org: Protect against XSS
From:       Albert Astals Cid <null () kde ! org>
Date:       2017-08-22 23:09:10
Message-ID: E1dkIII-0006wi-RF () code ! kde ! org
[Download RAW message or body]

Git commit 03be29160a73861748e9fa25930eadb979ec40b0 by Albert Astals Cid.
Committed on 22/08/2017 at 23:09.
Pushed by aacid into branch 'master'.

Protect against XSS

M  +1    -1    website/api.kde.org/includes/search.inc
M  +3    -3    website/api.kde.org/mapsearcher.php

https://commits.kde.org/websites/quality-kde-org/03be29160a73861748e9fa25930eadb979ec40b0


diff --git a/website/api.kde.org/includes/search.inc \
b/website/api.kde.org/includes/search.inc index e714ca2..a37574c 100644
--- a/website/api.kde.org/includes/search.inc
+++ b/website/api.kde.org/includes/search.inc
@@ -11,7 +11,7 @@
 ?>
 
 <form action="/mapsearcher.php" method="get">
-<input type="text" name="class" value="<?php if (array_key_exists('class',$_GET)) { \
echo $_GET["class"]; } else { echo "search term"; } ?>" style="width:100%;" \
onClick="this.value='';"/><br/> +<input type="text" name="class" value="<?php if \
(array_key_exists('class',$_GET)) { echo htmlentities($_GET["class"]); } else { echo \
"search term"; } ?>" style="width:100%;" onClick="this.value='';"/><br/>  <select \
name="module">  <option>ALL</option>
   <option>kdelibs</option>
diff --git a/website/api.kde.org/mapsearcher.php \
b/website/api.kde.org/mapsearcher.php index c21eba0..05ecf8a 100644
--- a/website/api.kde.org/mapsearcher.php
+++ b/website/api.kde.org/mapsearcher.php
@@ -3,17 +3,17 @@
 # Default to ALL in ALL and no class
 $version = 'ALL';
 if (array_key_exists('version',$_GET)) {
-	$version = $_GET['version'];
+	$version = htmlentities($_GET['version']);
 }
 
 $class = '';
 if (array_key_exists('class',$_GET)) {
-	$class = $_GET['class'];
+	$class = htmlentities($_GET['class']);
 }
 
 $module = 'ALL';
 if (array_key_exists('module',$_GET)) {
-	$module = $_GET['module'];
+	$module = htmlentities($_GET['module']);
 }
 
 $potential_files = false;


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic