Changeset 704 for trunk/phpbms/include/fields.php

Timestamp:

01/01/10 23:10:02 (2 years ago)

Author:

brieb

Message:

• Fixed several SQL injection vulnerabilities
• Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
• Fixed severa path disclosure errors

Files:

• trunk/phpbms/include/fields.php (modified) (1 diff)

trunk/phpbms/include/fields.php

@@ -82 +82 @@
     function startForm($pageTitle){
 
-        ?><form action="<?php echo str_replace("&","&amp;",$this->action) ?>" method="<?php echo $this->method?>" name="<?php echo $this->name?>" <?php
+        ?><form action="<?php echo htmlentities($this->action) ?>" method="<?php echo $this->method?>" name="<?php echo $this->name?>" <?php
                 if($this->onsubmit !== NULL) { ?>onsubmit="<?php echo $this->onsubmit?>" <?php }
                 if(isset($this->enctype)) echo ' enctype="'.$this->enctype.'" ';