Adds strip_tags

2015-01-16 23:24:27 +01:00 · 2015-01-16 23:24:27 +01:00 · 50bd82e223
commit 50bd82e223
parent d29e2ff2c7
6 changed files with 12 additions and 7 deletions
--- a/include/php/pages/admin/createdomain.php
+++ b/include/php/pages/admin/createdomain.php
@ -2,6 +2,7 @@

 if(isset($_POST['domain'])){
 	$domain = $db->escape_string($_POST['domain']);
+	$domain = strip_tags($domain);
 	$domain = strtolower($domain);
 	
 	if($domain !== ""){
--- a/include/php/pages/admin/editredirect.php
+++ b/include/php/pages/admin/editredirect.php
@ -6,8 +6,10 @@
 			$id = $db->escape_string($_POST['id']);
 			
 			$source = $db->escape_string($_POST['source']);
+			$source = strip_tags($source);
 			$source = strtolower($source);
 			$destination = $db->escape_string($_POST['destination']);
+			$destination = strip_tags($destination);
 			$destination = strtolower($destination);
 			
 			if($source !== "" && $destination !== ""){
@ -29,8 +31,10 @@
 		
 		else if($savemode === "create"){
 			$source = $db->escape_string($_POST['source']);
+			$source = strip_tags($source);
 			$source = strtolower($source);
 			$destination = $db->escape_string($_POST['destination']);
+			$destination = strip_tags($destination);
 			$destination = strtolower($destination);
 			
 			if($source !== "" && $destination !== ""){
--- a/include/php/pages/admin/edituser.php
+++ b/include/php/pages/admin/edituser.php
@ -167,7 +167,7 @@
 	
 	<tr>
 		<td>
-			<input name="username" class="textinput" type="text" autofocus value="<?php if(isset($username)){echo $username;} ?>" placeholder="Username" required="required"/>
+			<input name="username" class="textinput" type="text" autofocus value="<?php if(isset($username)){echo strip_tags($username);} ?>" placeholder="Username" required="required"/>
 		</td>
 		
 		<td>
@ -184,7 +184,7 @@
 				while($row = $result->fetch_assoc()){
 					$selected = "";
 					if(isset($domain) && $row[DBC_DOMAINS_DOMAIN] === $domain){$selected = "selected=\"selected\"";}
-					echo "<option value=\"".$row[DBC_DOMAINS_DOMAIN]."\" ".$selected." >".$row[DBC_DOMAINS_DOMAIN]."</option>";
+					echo "<option value=\"".strip_tags($row[DBC_DOMAINS_DOMAIN])."\" ".$selected." >".strip_tags($row[DBC_DOMAINS_DOMAIN])."</option>";
 				}
 				?>
 			</select>
@ -202,7 +202,7 @@
 		
 		<?php if(defined('DBC_USERS_MAILBOXLIMIT')){ ?>
 		<td>
-			<input name="mailbox_limit" class="textinput" type="number" value="<?php if(isset($mailbox_limit)){echo $mailbox_limit;} else{echo $mailbox_limit_default;} ?>" placeholder="Mailbox size (MB)" required="required"/> 
+			<input name="mailbox_limit" class="textinput" type="number" value="<?php if(isset($mailbox_limit)){echo strip_tags($mailbox_limit);} else{echo strip_tags($mailbox_limit_default);} ?>" placeholder="Mailbox size (MB)" required="required"/> 
 		</td>
 		<?php } ?>
 	</tr>
--- a/include/php/pages/admin/listdomains.php
+++ b/include/php/pages/admin/listdomains.php
@ -38,7 +38,7 @@ Add or delete domains.

 <?php 
 	while($row = $result->fetch_assoc()){
-		echo "<tr><td>".$row[DBC_DOMAINS_DOMAIN]."</td> <td><a href=\"".FRONTEND_BASE_PATH."admin/deletedomain/?id=".$row[DBC_DOMAINS_ID]."\">[Delete]</a></td> </tr>";
+		echo "<tr><td>".strip_tags($row[DBC_DOMAINS_DOMAIN])."</td> <td><a href=\"".FRONTEND_BASE_PATH."admin/deletedomain/?id=".$row[DBC_DOMAINS_ID]."\">[Delete]</a></td> </tr>";
 	}
 ?>
 </table>
--- a/include/php/pages/admin/listredirects.php
+++ b/include/php/pages/admin/listredirects.php
@ -32,7 +32,7 @@ if(!$result = $db->query($sql)){

 <?php 
 	while($row = $result->fetch_assoc()){
-		echo "<tr><td>".$row[DBC_ALIASES_SOURCE]."</td> <td>".$row[DBC_ALIASES_DESTINATION]."</td> <td><a href=\"".FRONTEND_BASE_PATH."admin/editredirect/?id=".$row[DBC_ALIASES_ID]."\">[Edit]</a></td> <td><a href=\"".FRONTEND_BASE_PATH."admin/deleteredirect/?id=".$row[DBC_ALIASES_ID]."\">[Delete]</a></td></tr>";
+		echo "<tr><td>".strip_tags($row[DBC_ALIASES_SOURCE])."</td> <td>".strip_tags($row[DBC_ALIASES_DESTINATION])."</td> <td><a href=\"".FRONTEND_BASE_PATH."admin/editredirect/?id=".$row[DBC_ALIASES_ID]."\">[Edit]</a></td> <td><a href=\"".FRONTEND_BASE_PATH."admin/deleteredirect/?id=".$row[DBC_ALIASES_ID]."\">[Delete]</a></td></tr>";
 	}
 ?>
 </table>
--- a/include/php/pages/admin/listusers.php
+++ b/include/php/pages/admin/listusers.php
@ -43,13 +43,13 @@ if(!$result = $db->query($sql)){
 <?php 	
 	while($row = $result->fetch_assoc()){
 		if(defined('DBC_USERS_MAILBOXLIMIT')){
-			$mailbox_limit_column = '<td>'.$row[DBC_USERS_MAILBOXLIMIT].'</td>';
+			$mailbox_limit_column = '<td>'.strip_tags($row[DBC_USERS_MAILBOXLIMIT]).'</td>';
 		}
 		else{
 			$mailbox_limit_column = '';
 		}

-		echo "<tr> <td>".$row[DBC_USERS_USERNAME]."</td><td>".$row[DBC_USERS_DOMAIN]."</td>".$mailbox_limit_column."<td><a href=\"".FRONTEND_BASE_PATH."admin/edituser/?id=".$row[DBC_USERS_ID]."\">[Edit]</a></td> <td><a href=\"".FRONTEND_BASE_PATH."admin/deleteuser/?id=".$row[DBC_USERS_ID]."\">[Delete]</a></td> </tr>";
+		echo "<tr> <td>".strip_tags($row[DBC_USERS_USERNAME])."</td><td>".strip_tags($row[DBC_USERS_DOMAIN])."</td>".$mailbox_limit_column."<td><a href=\"".FRONTEND_BASE_PATH."admin/edituser/?id=".$row[DBC_USERS_ID]."\">[Edit]</a></td> <td><a href=\"".FRONTEND_BASE_PATH."admin/deleteuser/?id=".$row[DBC_USERS_ID]."\">[Delete]</a></td> </tr>";
 	}
 ?>
 </table>