diff --git a/api.php b/api.php index 02ddc2c5..3409a492 100644 --- a/api.php +++ b/api.php @@ -1,4 +1,6 @@ xss_clean($request); + // validate content try { $decoded_request = stripcslashes_deep($decoded_request); diff --git a/lib/Froxlor/UI/HTML.php b/lib/Froxlor/UI/HTML.php index b3ada3f2..84caf1da 100644 --- a/lib/Froxlor/UI/HTML.php +++ b/lib/Froxlor/UI/HTML.php @@ -299,7 +299,6 @@ class HTML $checkbox = self::makecheckbox('delete_userfiles', $chk_text, '1', false, '0', true, true); } else { $checkbox = '' . "\n"; - ; } $text = strtr($text, array( diff --git a/lib/init.php b/lib/init.php index 75d6e4f6..76a2536a 100644 --- a/lib/init.php +++ b/lib/init.php @@ -44,6 +44,8 @@ require dirname(__DIR__) . '/vendor/autoload.php'; use Froxlor\Database\Database; use Froxlor\Settings; +use voku\helper\AntiXSS; +use Froxlor\PhpHelper; header("Content-Type: text/html; charset=UTF-8"); @@ -86,6 +88,17 @@ foreach ($_REQUEST as $key => $value) { } } +/** + * check for xss attempts and clean important globals + */ +$antiXss = new AntiXSS(); +// check $_GET +PhpHelper::cleanGlobal($_GET, $antiXss); +// check $_POST +PhpHelper::cleanGlobal($_POST, $antiXss); +// check $_COOKIE +PhpHelper::cleanGlobal($_COOKIE, $antiXss); + unset($_); unset($value); unset($key); @@ -473,9 +486,9 @@ unset($js); unset($css); if (isset($_POST['action'])) { - $action = $_POST['action']; + $action = trim(strip_tags($_POST['action'])); } elseif (isset($_GET['action'])) { - $action = $_GET['action']; + $action = trim(strip_tags($_GET['action'])); } else { $action = ''; // clear request data @@ -485,9 +498,9 @@ if (isset($_POST['action'])) { } if (isset($_POST['page'])) { - $page = $_POST['page']; + $page = trim(strip_tags($_POST['page'])); } elseif (isset($_GET['page'])) { - $page = $_GET['page']; + $page = trim(strip_tags($_GET['page'])); } else { $page = ''; }