[aur-dev] [PATCH 2/2] Escape all output strings in the header and footer
Lukas Fleischer
archlinux at cryptocrack.de
Sat Feb 18 23:09:26 EST 2012
Escape each output string using htmlspecialchars(). These aren't
exploitable; it's still better to escape them properly.
Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
Based on maint. This is applied to our production environment on sigurd.
web/template/footer.php | 2 +-
web/template/header.php | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/web/template/footer.php b/web/template/footer.php
index 435de5c..0948f68 100644
--- a/web/template/footer.php
+++ b/web/template/footer.php
@@ -2,7 +2,7 @@
<!-- End of main content -->
<?php
if ($ver) {
- echo "<div class=\"pgbox version\">$ver</div>";
+ echo "<div class=\"pgbox version\">" . htmlspecialchars($ver) . "</div>";
}
?>
</body>
diff --git a/web/template/header.php b/web/template/header.php
index 578fcb9..327819e 100644
--- a/web/template/header.php
+++ b/web/template/header.php
@@ -2,7 +2,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
- xml:lang="<?php print "$LANG\" lang=\"$LANG"; ?>">
+ xml:lang="<?php print htmlspecialchars($LANG) ?>" lang="<?php print htmlspecialchars($LANG) ?>">
<head>
<title>AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?></title>
<link rel='stylesheet' type='text/css' href='css/fonts.css' />
@@ -52,8 +52,8 @@ reset($SUPPORTED_LANGS);
foreach ($SUPPORTED_LANGS as $lang => $lang_name) {
print '<a href="'
. htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES)
- ."?setlang=$lang\" title=\"$lang_name\">"
- . strtolower($lang) . "</a>\n";
+ ."?setlang=\"" . htmlspecialchars($lang) . "\" title=\"" . htmlspecialchars($lang_name) . "\">"
+ . htmlspecialchars(strtolower($lang)) . "</a>\n";
}
?>
</div>
--
1.7.9.1
More information about the aur-dev
mailing list