Changeset 704 for trunk/phpbms/modules/bms/invoices_statushistory.php

Timestamp:

01/01/10 23:10:02 (2 years ago)

Author:

brieb

Message:

• Fixed several SQL injection vulnerabilities
• Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
• Fixed severa path disclosure errors

Files:

• trunk/phpbms/modules/bms/invoices_statushistory.php (modified) (1 diff)

trunk/phpbms/modules/bms/invoices_statushistory.php

@@ -127 +127 @@
         $phpbms->showTabs("invoices entry","tab:809d644e-fa40-5ad3-0426-3d84cf15b32e",$_GET["id"]);?><div class="bodyline">
         <h1><span><?php echo $pageTitle ?></span></h1>
-        <form action="<?PHP echo $_SERVER["REQUEST_URI"] ?>" method="post" name="record" onsubmit="return validateForm(this);">
+        <form action="<?PHP echo htmlentities($_SERVER["REQUEST_URI"]) ?>" method="post" name="record" onsubmit="return validateForm(this);">
                 <p>
                         <input accesskey="s" title="(access key+s)" name="command" type="submit" value="update statuses" class="Buttons" <?php if($refrecord["type"]=="Invoice") echo "disabled=\"disabled\""?>/>