Actions
Bug #7402
openInconsistent use of htmlentities validation checks
Status:
New
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
03/17/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
Description
Forum: https://forum.pfsense.org/index.php?topic=127350.0
Various pages have a loop through the input parameters ($_POST $_REQUEST etc) checking for htmlentities() that the user has tied to "sneak in". It is done a bit differently in different pages, e.g. see:
firewall_nat_edit.php
firewall_nat_1to1_edit.php
firewall_nat_out_edit.php
or not at all:
firewall_rules_edit.php
This means that on some GUI pages the user can put characters like double-quotes, "<", ">" in the description field, and in others they cannot. It makes for an inconsistent user experience.
Sort out what htmlentities() etc input validation is really needed to protect against??? and then implement it consistently across the code.
Actions