- Improving security by added -limit_to xxx to all im_opt_val calls

1c5db844 · Frank Bergmann · 8ddf21ae · 1c5db844 · 1c5db844
Commit 1c5db844 authored Jun 11, 2020 by Frank Bergmann
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

index.tcl www/index.tcl +1 -1

new.tcl www/new.tcl +2 -2

No files found.
--- a/www/index.tcl
+++ b/www/index.tcl
@@ -186,7 +186,7 @@ db_foreach column_list_sql $column_sql {
 		UNION select 'end_date'
 	"
 	db_foreach pass_through_vars $dynfield_sql {
-	    set value [im_opt_val $attribute_name]
+	    set value [im_opt_val -limit_to nohtml $attribute_name]
 	    if {"" != $value} {
 		append col_url "&$attribute_name=$value"
 	    }

--- a/www/new.tcl
+++ b/www/new.tcl
@@ -34,7 +34,7 @@ set focus ""
 set sub_navbar ""

 # org_conf_item_id required by Portlet Components!
-set org_conf_item_id [im_opt_val conf_item_id]
+set org_conf_item_id [im_opt_val -limit_to integer conf_item_id]

 set page_title [lang::message::lookup "" intranet-confdb.New_Conf_Item "New Configuration Item"]
 set show_components_p 0
@@ -286,7 +286,7 @@ set conf_item_sql [im_conf_item_select_sql \
 	-owner_id "" \
 	-cost_center_id "" \
 	-treelevel "" \
-	-parent_id [im_opt_val conf_item_id] \
+	-parent_id [im_opt_val -limit_to integer conf_item_id] \
 ]

 set sql "