ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add stronger input validation/output escaping for theme, tags and categories vars

Browse Source
This commit is contained in:
Marcus Hill
2023-03-05 19:25:24 +00:00
parent feb0267002
commit 2210ad9f3e
3 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
models/category.php
View File

@@ -1,4 +1,4 @@
<?php <?php
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);
$color = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['color'])); $color = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['color']));

4
models/tag.php
View File

@@ -1,5 +1,5 @@
<?php <?php
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']); $type = intval($_POST['type']);
$color = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['color'])); $color = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['color']));
$icon = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['icon'])); $icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));

2
post.php
View File

@@ -870,7 +870,7 @@ if(isset($_POST['edit_theme_settings'])){
validateAdminRole(); validateAdminRole();
$theme = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['theme'])); $theme = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['theme']));
mysqli_query($mysqli,"UPDATE settings SET config_theme = '$theme' WHERE company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE settings SET config_theme = '$theme' WHERE company_id = $session_company_id");