XSS fixes

2011-08-05 12:01:47 +02:00
parent 3d8fddceb0
commit 39edf6e1fb
1 changed files with 6 additions and 6 deletions
--- a/tbl_tracking.php
+++ b/tbl_tracking.php
@@ -473,8 +473,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
        ?>
                <tr class="noclick <?php echo $style; ?>">
                    <td><small><?php echo $i; ?></small></td>
-                    <td><small><?php echo $entry['date']; ?></small></td>
-                    <td><small><?php echo $entry['username']; ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
                    <td><?php echo $statement; ?></td>
                </tr>
        <?php
@@ -507,10 +507,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
    ?>
    </form>
    <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
-    <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" />
-    <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" />
-    <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" />
-    <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" />
+    <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
+    <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
+    <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
+    <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" />
    <?php
    echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>";
    ?>