From: Alex Dehnert Date: Thu, 7 Apr 2011 00:42:04 +0000 (+0000) Subject: Fix XSS vulnerabilities X-Git-Url: http://andersk.mit.edu/gitweb/sql-web.git/commitdiff_plain/e8d03b498ab117591104e55a779fdfe63b06ebd4 Fix XSS vulnerabilities git-svn-id: svn://sql.mit.edu/sql@191 a142d4bd-2cfb-0310-9673-cb33a7e74f58 --- diff --git a/lib/proc.lib.php b/lib/proc.lib.php index 865d498..2a07094 100644 --- a/lib/proc.lib.php +++ b/lib/proc.lib.php @@ -27,7 +27,7 @@ class proc { $err1[] = 'Database already exists.'; } } else { - $msg1[] = 'Database `'.$dbname.'` created.'; + $msg1[] = 'Database `'.htmlentities($dbname).'` created.'; } $i_newdb = $dbname; return array($msg1, $err1); @@ -37,7 +37,7 @@ class proc { $dropdbs = array_keys($i_drop); foreach($dropdbs as $dbname) { if ($User->delDB($dbname)) { - $msg1[] = 'Database `'.$dbname.'` dropped.'; + $msg1[] = 'Database `'.htmlentities($dbname).'` dropped.'; } else { $err1[] = mysql_error(); } diff --git a/tpl/main.php b/tpl/main.php index aa02cef..89b0432 100644 --- a/tpl/main.php +++ b/tpl/main.php @@ -6,7 +6,7 @@ if (isset($i_dropask)) { $dropdbs = array_keys($i_dropask); echo '
'; foreach($dropdbs as $dbname) { - $msg1[] = 'Are you sure you want to drop `'.$dbname.'`? '; + $msg1[] = 'Are you sure you want to drop `'.htmlentities($dbname).'`? '; } echo '
'; } @@ -35,7 +35,7 @@ if (isset($i_dropask)) { else $percentage = 0; echo printBar($percentage, $db['Name'], str_replace(' ', ' ', sprintSize($db['nBytes']))); echo ''; - echo ''; + echo ''; echo ''; } if ($total>0) {