Unverified Commit 39d9ad21 authored by Drew Phillips's avatar Drew Phillips Committed by GitHub
Browse files

Merge pull request #107 from bleplat/xssfix

Use htmlspecialchars to fix XSS in some example scripts
No related merge requests found
Showing with 6 additions and 4 deletions
+6 -4
......@@ -58,6 +58,8 @@ if (isset($_GET['validate'])) {
// generate a new captcha ID and challenge
$captchaId = Securimage::getCaptchaId();
$currentScript = htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES);
// output the captcha ID, and a form to validate it
// the form submits to itself and is validated above
echo <<<EOD
......@@ -82,9 +84,9 @@ echo <<<EOD
<p>&nbsp;</p>
<div>
Captcha ID: $captchaId<br /><br />
<img src="{$_SERVER['PHP_SELF']}?display&amp;id=$captchaId" alt="Captcha Image" /><br />
<img src="$currentScript?display&amp;id=$captchaId" alt="Captcha Image" /><br />
<form method="get" action="{$_SERVER['PHP_SELF']}">
<form method="get" action="$currentScript">
<input type="hidden" name="validate" value="1" />
<input type="hidden" name="id" value="$captchaId" />
Enter Code:
......
......@@ -110,11 +110,11 @@ $captchaId = Securimage::getCaptchaId(true, $options);
<p>&nbsp;</p>
<div>
Captcha ID: <span id="span_captchaId"><?php echo $captchaId ?></span><br /><br />
<img id="siimage" src="<?php echo $_SERVER['PHP_SELF'] ?>?display=1&amp;id=<?php echo $captchaId ?>" alt="Captcha Image" />
<img id="siimage" src="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES) ?>?display=1&amp;id=<?php echo $captchaId ?>" alt="Captcha Image" />
[ <a href="#" onclick="refreshCaptcha(); return false">Refresh Image</a> ]
<br />
<form method="get" action="<?php echo $_SERVER['PHP_SELF'] ?>">
<form method="get" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
<input type="hidden" name="validate" value="1" />
<input id="captchaId" type="hidden" name="id" value="<?php echo $captchaId ?>" />
Enter Code:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment