Fix CSRF vulnerabilities

[sql-web.git] / tpl / login.php

diff --git a/tpl/login.php b/tpl/login.php
index cd9acc5ed5efb5af17ca98578fed59fccb5d8b36..17eabb48cda5baf08a4cb763f24adbc27c246beb 100644 (file)
--- a/tpl/login.php
+++ b/tpl/login.php
@@ -4,23 +4,23 @@ include 'head.php';
 $thisTxt = isSSL()?' using this Certificate':' using your MySQL Password';
 ?>
 
-<h2>Login</h2>
+<h3>Login</h3>
 
 <?php printErrors($err); ?>
 
 <?php if (!isSSL()): ?>
 
 <form method=post action="<?=$URI?>">
-<h3>Please enter your MySQL login information:</h3>
-<p>username: <input type="text" name="u" value="<?=isset($i_u)?$i_u:''?>"></p>
+<p>Please enter your MySQL login information:</p>
+<p>username: <input type="text" name="u" value="<?=isset($i_u)?htmlentities($i_u):''?>"></p>
 <p>password: <input type="password" name="p"></p>
 
 <?php elseif (isSSL() && !empty($SSLCred)): ?>
 
 <form method=post action="<?=$URI?>">
-<h3>You are identified as: <?=$SSLUsername?></h3>
-<p><?=$SSLName?></p>
-<p><?=$SSLEmail?></p>
+<p>You are identified as: <?=htmlentities($SSLUsername)?></p>
+<p><?=htmlentities($SSLName)?></p>
+<p><?=htmlentities($SSLEmail)?></p>
 
 <?php endif; ?>
 
@@ -31,7 +31,7 @@ $thisTxt = isSSL()?' using this Certificate':' using your MySQL Password';
 
 <?php elseif (isSSL() && !is_null($SSLCred)): ?>
 
-<h3><a href="do/signup">Sign up</a> to use this service.</h3>
+<p><a href="do/signup">Sign up</a> to use this service.</p>
 
 <?php endif; ?>