From 9b112a56d0e3c93e062d1382527a27fc44518916 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 11 Mar 2011 19:15:04 +0100 Subject: Fix XSS vulnerability in package search results and package details. Signed-off-by: Lukas Fleischer --- web/template/pkg_details.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'web/template/pkg_details.php') diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index 3b96791..eac7b69 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -29,7 +29,7 @@ else { if ($row["SubmitterUID"]) { $submitter = username_from_id($row["SubmitterUID"]); if ($SID) { - $submitter = '' . $submitter . ''; + $submitter = '' . htmlspecialchars($submitter) . ''; } } else { @@ -39,7 +39,7 @@ if ($row["SubmitterUID"]) { if ($row["MaintainerUID"]) { $maintainer = username_from_id($row["MaintainerUID"]); if ($SID) { - $maintainer = '' . $maintainer . ''; + $maintainer = '' . htmlspecialchars($maintainer) . ''; } } else { @@ -66,8 +66,8 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[

-
- ' . $row['URL'] ?>
+
+ ' . $row['URL'] ?>

@@ -79,7 +79,7 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[

-

+

@@ -161,12 +161,12 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[ if (isset($parsed_url['scheme']) || isset($src[1])) { # It is an external source - echo "{$src[0]}
\n"; + echo "" . htmlspecialchars($src[0]) . "
\n"; } else { $src = $src[0]; # It is presumably an internal source - echo "$src"; + echo "" . htmlspecialchars($src) . ""; echo "
\n"; } } -- cgit v1.2.3-70-g09d2