From e78ec6458b81a3c665b08f862b8bc16c7a80a41f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Fri, 20 Jun 2008 12:03:39 +0000 Subject: [PATCH] Request data is now generally secured --- .../ship-simu/templates/de/code/login_failed.ctp | 2 ++ .../ship-simu/templates/de/code/login_logout.ctp | 1 + .../ship-simu/templates/de/code/login_main.ctp | 11 +++++++++-- .../ship-simu/templates/de/code/shipsimu_main.ctp | 10 +++++----- .../exceptions/main/class_InvalidCommandException.php | 2 +- inc/classes/main/request/class_HttpRequest.php | 9 +++++++-- inc/includes.php | 2 +- 7 files changed, 26 insertions(+), 11 deletions(-) diff --git a/application/ship-simu/templates/de/code/login_failed.ctp b/application/ship-simu/templates/de/code/login_failed.ctp index 4d9d42e..81af6a1 100644 --- a/application/ship-simu/templates/de/code/login_failed.ctp +++ b/application/ship-simu/templates/de/code/login_failed.ctp @@ -4,6 +4,7 @@
Du bist nicht mehr in Ship-Simu eingeloggt. Dies kann verschiedene Gründe haben: +
  1. Dein Browser nimmt keine Cookies an.
  2. Du hast den Loginbereich aus deinen Bookmarks/Favoriten aufgerufen @@ -12,6 +13,7 @@ kannst. Bitte kontaktiere den Support, falls dieses Problem weiterhin besteht.
+ Wenn du den Support kontaktierst, halte bitte sämtliche relevante Informationen - nicht aber dein Passwort - bereit. Du kannst auch einen Screenshot dieser Seite anfertigen und dem diff --git a/application/ship-simu/templates/de/code/login_logout.ctp b/application/ship-simu/templates/de/code/login_logout.ctp index e0eb6d6..aa4ca11 100644 --- a/application/ship-simu/templates/de/code/login_logout.ctp +++ b/application/ship-simu/templates/de/code/login_logout.ctp @@ -2,6 +2,7 @@
Willst du dich wirklich aus dem Spiel aussloggen?
+ diff --git a/application/ship-simu/templates/de/code/login_main.ctp b/application/ship-simu/templates/de/code/login_main.ctp index 3f7cf5f..b111601 100644 --- a/application/ship-simu/templates/de/code/login_main.ctp +++ b/application/ship-simu/templates/de/code/login_main.ctp @@ -10,7 +10,11 @@
Account-Infos:
- {?persona_data?} + +
+ {?persona_data?} +
+ diff --git a/application/ship-simu/templates/de/code/shipsimu_main.ctp b/application/ship-simu/templates/de/code/shipsimu_main.ctp index ff1ab2c..e15d8d9 100644 --- a/application/ship-simu/templates/de/code/shipsimu_main.ctp +++ b/application/ship-simu/templates/de/code/shipsimu_main.ctp @@ -1,23 +1,23 @@ {?header?}
-{?ship_simu_header?} + {?ship_simu_header?}
-{?content?} + {?content?}
{?footer?} diff --git a/inc/classes/exceptions/main/class_InvalidCommandException.php b/inc/classes/exceptions/main/class_InvalidCommandException.php index add1645..d8ec33d 100644 --- a/inc/classes/exceptions/main/class_InvalidCommandException.php +++ b/inc/classes/exceptions/main/class_InvalidCommandException.php @@ -34,7 +34,7 @@ class InvalidCommandException extends FrameworkException { $message = sprintf("[%s:%d] Invalid command %s detected.", $msgArray[0]->__toString(), $this->getLine(), - htmlentities(strip_tags($msgArray[1]), ENT_QUOTES) + $msgArray[1] ); // Call parent constructor diff --git a/inc/classes/main/request/class_HttpRequest.php b/inc/classes/main/request/class_HttpRequest.php index 1a64747..b12855f 100644 --- a/inc/classes/main/request/class_HttpRequest.php +++ b/inc/classes/main/request/class_HttpRequest.php @@ -1,6 +1,6 @@ * @version 0.0.0 @@ -109,8 +109,13 @@ class HttpRequest extends BaseFrameworkSystem implements Requestable { // Initialize value $value = null; + // Is the element set? if ($this->isRequestElementSet($element)) { - $value = $this->requestData[$element]; + // Get the bare value + $value = $this->requestData[$element]; + + // Secure it against attacks + $value = htmlentities(strip_tags($value), ENT_QUOTES); } // END - if // Return the element's value diff --git a/inc/includes.php b/inc/includes.php index a9af02b..709fb2a 100644 --- a/inc/includes.php +++ b/inc/includes.php @@ -52,7 +52,7 @@ if (!empty($_GET['app'])) { $application = htmlentities(strip_tags($application), ENT_QUOTES); // Secure it a little more with a reg.exp. -$application = preg_replace('/([^a-z_-])+/i', "", $application); +$application = preg_replace('/([^a-z0-9_-])+/i', "", $application); // Set the application name for later usage $cfg->setConfigEntry('app_name', $application); -- 2.39.5