secure requests; refs #893
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
8
api.php
8
api.php
@@ -1,4 +1,6 @@
|
||||
<?php
|
||||
use voku\helper\AntiXSS;
|
||||
|
||||
require __DIR__ . '/vendor/autoload.php';
|
||||
|
||||
require \Froxlor\Froxlor::getInstallDir() . '/lib/tables.inc.php';
|
||||
@@ -30,6 +32,12 @@ if (is_null($decoded_request)) {
|
||||
json_response(400, "Invalid JSON");
|
||||
}
|
||||
|
||||
/**
|
||||
* check for xss attempts and clean request
|
||||
*/
|
||||
$antiXss = new AntiXSS();
|
||||
$request = $antiXss->xss_clean($request);
|
||||
|
||||
// validate content
|
||||
try {
|
||||
$decoded_request = stripcslashes_deep($decoded_request);
|
||||
|
||||
@@ -299,7 +299,6 @@ class HTML
|
||||
$checkbox = self::makecheckbox('delete_userfiles', $chk_text, '1', false, '0', true, true);
|
||||
} else {
|
||||
$checkbox = '<input type="hidden" name="delete_userfiles" value="0" />' . "\n";
|
||||
;
|
||||
}
|
||||
|
||||
$text = strtr($text, array(
|
||||
|
||||
21
lib/init.php
21
lib/init.php
@@ -44,6 +44,8 @@ require dirname(__DIR__) . '/vendor/autoload.php';
|
||||
|
||||
use Froxlor\Database\Database;
|
||||
use Froxlor\Settings;
|
||||
use voku\helper\AntiXSS;
|
||||
use Froxlor\PhpHelper;
|
||||
|
||||
header("Content-Type: text/html; charset=UTF-8");
|
||||
|
||||
@@ -86,6 +88,17 @@ foreach ($_REQUEST as $key => $value) {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* check for xss attempts and clean important globals
|
||||
*/
|
||||
$antiXss = new AntiXSS();
|
||||
// check $_GET
|
||||
PhpHelper::cleanGlobal($_GET, $antiXss);
|
||||
// check $_POST
|
||||
PhpHelper::cleanGlobal($_POST, $antiXss);
|
||||
// check $_COOKIE
|
||||
PhpHelper::cleanGlobal($_COOKIE, $antiXss);
|
||||
|
||||
unset($_);
|
||||
unset($value);
|
||||
unset($key);
|
||||
@@ -473,9 +486,9 @@ unset($js);
|
||||
unset($css);
|
||||
|
||||
if (isset($_POST['action'])) {
|
||||
$action = $_POST['action'];
|
||||
$action = trim(strip_tags($_POST['action']));
|
||||
} elseif (isset($_GET['action'])) {
|
||||
$action = $_GET['action'];
|
||||
$action = trim(strip_tags($_GET['action']));
|
||||
} else {
|
||||
$action = '';
|
||||
// clear request data
|
||||
@@ -485,9 +498,9 @@ if (isset($_POST['action'])) {
|
||||
}
|
||||
|
||||
if (isset($_POST['page'])) {
|
||||
$page = $_POST['page'];
|
||||
$page = trim(strip_tags($_POST['page']));
|
||||
} elseif (isset($_GET['page'])) {
|
||||
$page = $_GET['page'];
|
||||
$page = trim(strip_tags($_GET['page']));
|
||||
} else {
|
||||
$page = '';
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user