Revision 0f26fc5a
Added by Jim Pingle over 9 years ago
| src/usr/local/www/pkg_mgr_install.php | ||
|---|---|---|
| 389 | 389 |
$start_polling = true; |
| 390 | 390 |
} |
| 391 | 391 |
?> |
| 392 |
<input type="hidden" name="id" value="<?=$_POST['id']?>" />
|
|
| 393 |
<input type="hidden" name="mode" value="<?=$_POST['mode']?>" />
|
|
| 392 |
<input type="hidden" name="id" value="<?=htmlspecialchars($_POST['id'])?>" />
|
|
| 393 |
<input type="hidden" name="mode" value="<?=htmlspecialchars($_POST['mode'])?>" />
|
|
| 394 | 394 |
<input type="hidden" name="completed" value="true" /> |
| 395 | 395 |
|
| 396 | 396 |
<div id="countdown" style="text-align: center;"></div> |
Also available in: Unified diff
Protect these two vars with htmlspecialchars
I wasn't able to exploit this but given how they are used, seems like it is only a matter of time before someone finds a way.