- Filestorage:

Fixed XSS issue

- Filestorage:
Fixed XSS issue
7d0d64d0 · Frank Bergmann · 4ca02d87 · 7d0d64d0
Commit 7d0d64d0 authored May 23, 2011 by Frank Bergmann
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

intranet-filestorage-procs.tcl tcl/intranet-filestorage-procs.tcl +11 -0

No files found.
--- a/tcl/intranet-filestorage-procs.tcl
+++ b/tcl/intranet-filestorage-procs.tcl
@@ -1102,6 +1102,17 @@ ad_proc export_url_bind_vars { bind_vars } {
    set vars ""
    set ctr 0
    foreach var [ad_ns_set_keys $bind_vars] {
+	
+	# Security check for cross site scripting
+        if {![regexp {^[a-zA-Z0-9_\-]*$} $var]} {
+            im_security_alert \
+                -location export_url_bind_vars \
+                -message "Invalid URL var characters" \
+                -value [ns_quotehtml $var]
+            # Quote the harmful vars
+            regsub -all {[^a-zA-Z0-9_\-]} $var "_" var
+        }
+
 	set value [ns_set get $bind_vars $var]
 	if {$ctr > 0} { append vars "&" }
 	append vars "$var=[ns_urlencode $value]"