gnucash-htdocs beta: More sanitizing.

John Ralls jralls at code.gnucash.org
Tue Aug 10 18:40:49 EDT 2021 

Updated	 via  https://github.com/Gnucash/gnucash-htdocs/commit/3f869d4d (commit)
	from  https://github.com/Gnucash/gnucash-htdocs/commit/1acd86cc (commit)



commit 3f869d4d8fe628f49ed0356c63accfc6813a1c60
Author: John Ralls <jralls at ceridwen.us>
Date:   Tue Aug 10 15:40:41 2021 -0700

    More sanitizing.

diff --git a/externals/header.phtml b/externals/header.phtml
index 7394899..0256aa9 100644
--- a/externals/header.phtml
+++ b/externals/header.phtml
@@ -8,26 +8,30 @@
   include("$top_dir/externals/global_params.php");
   if (!isset($title)) {
       $title = $GLOBALS["default_title"];
-  };
-  $full_title = $title." | GnuCash";
+  }
+  $full_title = filter_var($title, FILTER_SANITIZE_FULL_SPECIAL_CHARS)." | GnuCash";
   if (!isset($description)) {
       $description = $default_description;
-  };
+  } else {
+      $description = filter_var($description, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+  }
+  $page = filter_var($page, FILTER_SANITIZE_URL | FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
   # This function will create a link to the given page
   # reusing the get parameters that were specified
   # with the option to override the language
   function make_lang_href($page, $get_parms, $lang)
   {
-      if (isset($lang) && $lang != "") {
-          $get_parms["lang"] = $lang;
+      $query_lang = filter_input(INPUT_GET, $lang, FILTER_SANITIZE_STRING);
+      if ($query_lang)
+          $get_parms["lang"] = $query_lang;
       }
       $url_get_query = http_build_query($get_parms);
       $lang_href = "$page"."?"."$url_get_query";
       return $lang_href;
   }
-  
-  $get_parms = $_GET;
+
+  $get_parms = filter_var($_GET, FILTER_SANITIZE_STRING);
 
   if (isset($locale)) {
       if (substr($locale, 0, 2) != 'zh') {
@@ -50,7 +54,7 @@
 <?php } //if ($can_utf)?>
 
     <title><?=$full_title?></title>
-    <meta name="description" content="<?=strip_tags($description)?>"/>
+    <meta name="description" content="<?=$description?>"/>
 
     <!--meta properties for facebook Open Graph-->
     <meta property="og:locale" content="<?=$locale_str?>"/>
@@ -63,10 +67,10 @@
     ?>
     <meta property="og:title" content="<?=$full_title?>"/>
     <meta property="og:type" content="website"/>
-    <meta property="og:url" content="<?=\DEFAULT_URL.filter_var($page, FILTER_SANITIZE_URL)?>"/>
+    <meta property="og:url" content="<?=\DEFAULT_URL.$page?>"/>
     <meta property="og:image" content="<?=\DEFAULT_URL."externals/logo_w120.png"?>"/>
     <meta property="og:site_name" content="GnuCash"/>
-    <meta property="og:description" content="<?=strip_tags($description)?>"/>
+    <meta property="og:description" content="<?=$description?>"/>
 <?php // end of Open Graph properties?>
 
     <link rel="stylesheet" href="<?=$home?>/externals/gnucash.css" type="text/css" />



Summary of changes:
 externals/header.phtml | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

More information about the gnucash-changes mailing list