From 2e62839897167304a215d1613f08804e738a7fb2 Mon Sep 17 00:00:00 2001 From: Andre Lorbach Date: Tue, 22 May 2012 12:10:51 +0200 Subject: [PATCH] Fixed Cross site scripting issue of id parameter on admin/reports.php page --- src/admin/reports.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/admin/reports.php b/src/admin/reports.php index 53a6d0d..63c7db8 100644 --- a/src/admin/reports.php +++ b/src/admin/reports.php @@ -89,7 +89,7 @@ if ( isset($_GET['op']) ) if ( isset($_GET['id']) ) { //PreInit these values - $content['ReportID'] = DB_RemoveBadChars($_GET['id']); + $content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id'])); if ( isset($content['REPORTS'][ $content['ReportID'] ]) ) { // Get Reference to parser! @@ -181,7 +181,7 @@ if ( isset($_GET['op']) ) if ( isset($_GET['id']) ) { //PreInit these values - $content['ReportID'] = DB_RemoveBadChars($_GET['id']); + $content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id'])); if ( isset($content['REPORTS'][ $content['ReportID'] ]) ) { // Get Reference to parser! @@ -245,7 +245,7 @@ if ( isset($_GET['op']) ) if ( isset($_GET['id']) ) { //PreInit these values - $content['ReportID'] = DB_RemoveBadChars($_GET['id']); + $content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id'])); if ( isset($content['REPORTS'][ $content['ReportID'] ]) ) { // Get Reference to parser! @@ -312,7 +312,7 @@ if ( isset($_GET['op']) ) if ( isset($_GET['id']) ) { //PreInit these values - $content['ReportID'] = DB_RemoveBadChars($_GET['id']); + $content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id'])); // Init Form variables $content['ISADDSAVEDREPORT'] = "true"; @@ -408,7 +408,7 @@ if ( isset($_GET['op']) ) if ( isset($_GET['id']) ) { //PreInit these values - $content['ReportID'] = DB_RemoveBadChars($_GET['id']); + $content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id'])); if ( isset($content['REPORTS'][ $content['ReportID'] ]) ) { // Get Reference to report!