[evolvis-commits] r10960: Cross-site scripting fixes for the account login and project r =?UTF-8?Q?egistration=E2=86=B5=20page?=. ↵ ↵ Simply ensure =?UTF-8?Q?s=20these=20pages=20have=20ht?==?UTF-8?Q?mlspecialchars?=() and stripslashes() ↵ called before sho =?UTF-8?Q?wing=20things=20in=20the=20HT?==?UTF-8?Q?ML=20forms?=. ↵ ↵ Resolves patc =?UTF-8?Q?h=20=231279=20from=20Vittal=20A?==?UTF-8?Q?ithal?=. ↵
mirabilos at evolvis.org
mirabilos at evolvis.org
Thu Feb 24 17:58:36 CET 2011
Author: mirabilos
Date: 2011-02-24 17:58:35 +0100 (Thu, 24 Feb 2011)
New Revision: 10960
Modified:
trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php
trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php
trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php
Log:
Cross-site scripting fixes for the account login and project registration
page.
Simply ensures these pages have htmlspecialchars() and stripslashes()
called before showing things in the HTML forms.
Resolves patch #1279 from Vittal Aithal.
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php 2011-02-24 16:58:35 UTC (rev 10959)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php 2011-02-24 16:58:35 UTC (rev 10960)
@@ -102,10 +102,10 @@
<span style="color:red"><strong><?php echo $Language->getText('account_login', 'cookiewarn'); ?></strong></span>
</p>
<form action="<?php echo $PHP_SELF; ?>" method="post">
-<input type="hidden" name="return_to" value="<?php echo $return_to; ?>" />
+<input type="hidden" name="return_to" value="<?php echo htmlspecialchars(stripslashes($return_to)); ?>" />
<p>
<?php echo $Language->getText('account_login', 'loginname'); ?>
-<br /><input type="text" name="form_loginname" value="<?php echo $form_loginname; ?>" />
+<br /><input type="text" name="form_loginname" value="<?php echo htmlspecialchars(stripslashes($form_loginname)); ?>" />
</p>
<p>
<?php echo $Language->getText('account_login', 'passwd'); ?>
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php 2011-02-24 16:58:35 UTC (rev 10959)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php 2011-02-24 16:58:35 UTC (rev 10960)
@@ -73,7 +73,7 @@
<form action="<?php echo $PHP_SELF; ?>" method="post">
<p>
<?php echo $Language->getText('account_register','loginname'); echo utils_requiredField(); ?><br />
-<input type="text" name="unix_name" value="<?php print($unix_name); ?>" />
+<input type="text" name="unix_name" value="<?php print(htmlspecialchars(stripslashes($unix_name))); ?>" />
</p>
<p>
<?php echo $Language->getText('account_register','password'); echo utils_requiredField(); ?><br />
@@ -85,15 +85,15 @@
</p
><p>
<?php echo $Language->getText('account_options', 'title2'); ?><br />
-<input type="text" name="title" value="<?php echo $title; ?>" size="10" />
+<input type="text" name="title" value="<?php echo htmlspecialchars(stripslashes($title)); ?>" size="10" />
</p>
<p>
<?php echo $Language->getText('account_register','firstname'); echo utils_requiredField(); ?><br />
-<input size="30" type="text" name="firstname" value="<?php print($firstname); ?>" />
+<input size="30" type="text" name="firstname" value="<?php print(htmlspecialchars(stripslashes($firstname))); ?>" />
</p>
<p>
<?php echo $Language->getText('account_register','lastname'); echo utils_requiredField(); ?><br />
-<input size="30" type="text" name="lastname" value="<?php print($lastname); ?>" />
+<input size="30" type="text" name="lastname" value="<?php print(htmlspecialchars(stripslashes($lastname))); ?>" />
</p>
<p>
<?php echo $Language->getText('account_register','language'); ?><br />
@@ -113,13 +113,14 @@
</p>
<p>
@<?php echo $Language->getText('account_register','emailaddr', $GLOBALS['sys_users_host']); ?>
-<br /><input size="30" type="text" name="email" value="<?php print($email); ?>" />
+<br /><input size="30" type="text" name="email" value="<?php print(htmlspecialchars(stripslashes($email))); ?>" />
</p>
<p>
<?php
if ($sys_use_jabber) {
echo $Language->getText('account_register','jabberaddr').'<br />
- <input size="30" type="text" name="jabber_address" value="'. $jabber_address .'" /><br />
+ <input size="30" type="text" name="jabber_address" value="'.
+ htmlspecialchars(stripslashes($jabber_address)) .'" /><br />
<input type="checkbox" name="jabber_only" value="1" />
'.$Language->getText('account_register','jabberonly').'.';
}
@@ -127,19 +128,19 @@
</p>
<p>
<?php echo $Language->getText('account_options', 'address'); ?><br />
-<input type="text" name="address" value="<?php echo $address; ?>" size="80" />
+<input type="text" name="address" value="<?php echo htmlspecialchars(stripslashes($address)); ?>" size="80" />
</p>
<p>
<?php echo $Language->getText('account_options', 'address'); ?><br />
-<input type="text" name="address2" value="<?php echo $address2; ?>" size="80" />
+<input type="text" name="address2" value="<?php echo htmlspecialchars(stripslashes($address2)); ?>" size="80" />
</p>
<p>
<?php echo $Language->getText('account_options', 'phone'); ?><br />
-<input type="text" name="phone" value="<?php echo $phone; ?>" size="20" />
+<input type="text" name="phone" value="<?php echo htmlspecialchars(stripslashes($phone)); ?>" size="20" />
</p>
<p>
<?php echo $Language->getText('account_options', 'fax'); ?><br />
-<input type="text" name="fax" value="<?php echo $fax; ?>" size="20" />
+<input type="text" name="fax" value="<?php echo htmlspecialchars(stripslashes($fax)); ?>" size="20" />
</p>
<p>
<input type="checkbox" name="mail_site" value="1" checked="checked" />
Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php 2011-02-24 16:58:35 UTC (rev 10959)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php 2011-02-24 16:58:35 UTC (rev 10960)
@@ -56,6 +56,7 @@
$license_other = trim($license_other);
$description = trim($description);
$unix_name = strtolower($unix_name);
+ $feedback = "";
if ($sys_use_scm && !$scm) {
$feedback .= $Language->getText('register','scm_not_selected');
@@ -111,13 +112,13 @@
<?php echo $Language->getText('register','project_full_name') ?>
-<input size="40" maxlength="40" type=text name="full_name" value="<?php echo stripslashes($full_name); ?>">
+<input size="40" maxlength="40" type=text name="full_name" value="<?php echo htmlspecialchars(stripslashes($full_name)); ?>">
<?php echo $Language->getText('register','purpose_and_summarization', array($GLOBALS['sys_name']))?>
<p>
<font size="-1">
<textarea name="purpose" wrap="virtual" cols="70" rows="10">
-<?php echo stripslashes($purpose); ?>
+<?php echo htmlspecialchars(stripslashes($purpose)); ?>
</textarea>
</font>
@@ -130,7 +131,7 @@
<?php echo $Language->getText('register','other_license') ?>
<br />
<textarea name="license_other" wrap=virtual cols=60 rows=5>
-<?php echo stripslashes($license_other); ?>
+<?php echo htmlspecialchars(stripslashes($license_other)); ?>
</textarea>
<p>
@@ -138,13 +139,13 @@
</p>
<font size="-1">
<textarea name="description" wrap="virtual" cols="70" rows="5">
-<?php echo stripslashes($description); ?>
+<?php echo htmlspecialchars(stripslashes($description)); ?>
</textarea>
</font>
<?php echo $Language->getText('register','project_unix_name',array($GLOBALS['sys_default_domain'])) ?>
-<input type=text maxlength="15" SIZE="15" name="unix_name" value="<?php echo $unix_name; ?>">
+<input type=text maxlength="15" SIZE="15" name="unix_name" value="<?php echo htmlspecialchars(stripslashes($unix_name)); ?>">
<?php
$SCMFactory=new SCMFactory();
More information about the evolvis-commits
mailing list