diff --git a/lib/Froxlor/UI/Request.php b/lib/Froxlor/UI/Request.php index 5a3bb9d1..3ff21786 100644 --- a/lib/Froxlor/UI/Request.php +++ b/lib/Froxlor/UI/Request.php @@ -1,6 +1,9 @@ (2010-) * @author Maurice Preuß * @license GPLv2 http://files.froxlor.org/misc/COPYING.txt - * @package API + * @package Request * */ class Request { + /** + * Check for xss attempts and clean important globals and + * unsetting every variable registered in $_REQUEST and as variable itself + */ + public static function cleanAll() + { + foreach ($_REQUEST as $key => $value) { + if (isset($$key)) { + unset($$key); + } + } + unset($value); + + $antiXss = new AntiXSS(); + + // check $_GET + PhpHelper::cleanGlobal($_GET, $antiXss); + // check $_POST + PhpHelper::cleanGlobal($_POST, $antiXss); + // check $_COOKIE + PhpHelper::cleanGlobal($_COOKIE, $antiXss); + } + /** * Get key from current request. * @@ -27,6 +53,8 @@ class Request */ public static function get($key, string $default = null) { + self::cleanAll(); + return $_GET[$key] ?? $_POST[$key] ?? $default; } diff --git a/lib/init.php b/lib/init.php index aa9c614d..5c64f2c6 100644 --- a/lib/init.php +++ b/lib/init.php @@ -67,27 +67,10 @@ UI::initTwig(); /** * Register Globals Security Fix - * - unsetting every variable registered in $_REQUEST and as variable itself */ -foreach ($_REQUEST as $key => $value) { - if (isset($$key)) { - unset($$key); - } -} - -/** - * check for xss attempts and clean important globals - */ -$antiXss = new AntiXSS(); -// check $_GET -PhpHelper::cleanGlobal($_GET, $antiXss); -// check $_POST -PhpHelper::cleanGlobal($_POST, $antiXss); -// check $_COOKIE -PhpHelper::cleanGlobal($_COOKIE, $antiXss); +Request::cleanAll(); unset($_); -unset($value); unset($key); $filename = htmlentities(basename($_SERVER['SCRIPT_NAME']));