Changeset 54044 in spip-zone

Timestamp:

Nov 5, 2011, 10:56:54 AM (9 years ago)

Author:

brunobergot@…

Message:

Report de r18662 : Eviter un XSS sur l'aide en ligne (Arnault Pachot)

File:

• _core_/securite/ecran_securite.php (modified) (2 diffs)

_core_/securite/ecran_securite.php

@@ -6 +6 @@
  */
 
-define('_ECRAN_SECURITE', '1.0.5'); // 26 juil. 2011
+define('_ECRAN_SECURITE', '1.0.6'); // 05 nov. 2011
 
 /*
@@ -51 +51 @@
 $cjpeg_command='';
 
-/*     - controle la variable lang, var_recherche (XSS)
- *
- */
-foreach(array('lang', 'var_recherche') as $var) {
+/*     - controle la variable lang, var_recherche, aide (XSS)
+ *
+ */
+foreach(array('lang', 'var_recherche', 'aide') as $var) {
         if (isset($_GET[$var]))
                 $_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w-]+,',' ',(string)$_GET[$var]);