Revision 10d74dff
Added by Scott Ullrich about 14 years ago
| usr/local/www/firewall_rules_edit.php | ||
|---|---|---|
| 253 | 253 |
unset($input_errors); |
| 254 | 254 |
$pconfig = $_POST; |
| 255 | 255 |
|
| 256 |
/* run through $_POST items encoding HTML entties so that the user |
|
| 257 |
* cannot think he is slick and perform a XSS attack on the unwilling |
|
| 258 |
*/ |
|
| 259 |
foreach ($_POST as $key => $value) {
|
|
| 260 |
$temp = str_replace(">", "", $value);
|
|
| 261 |
|
|
| 262 |
if (isset($_POST['floating']) && $key == "interface") |
|
| 263 |
continue; |
|
| 264 |
$newpost = htmlentities($temp); |
|
| 265 |
if($newpost <> $temp) |
|
| 266 |
$input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp);
|
|
| 267 |
} |
|
| 268 |
|
|
| 269 | 256 |
/* input validation */ |
| 270 | 257 |
$reqdfields = explode(" ", "type proto");
|
| 271 | 258 |
if ( isset($a_filter[$id]['associated-rule-id'])===false ) {
|
Also available in: Unified diff
Remove bogus protection. We have better handling of this now.