lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX xss injection on user address

Browse Source
This commit is contained in:
Laurent Destailleur 2018-11-15 17:34:11 +01:00
parent 6297e03ea9
commit 2d6f7f926c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/user/card.php
View File

@ -193,7 +193,7 @@ if (empty($reshook)) {
$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear'));
$object->birth = $birth;
$object->admin = GETPOST("admin", 'alpha');
$object->address = GETPOST('address', 'alpha');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->country_id = GETPOST('country_id', 'int');
@ -342,7 +342,7 @@ if (empty($reshook)) {
$object->pass = GETPOST("password",'none');
$object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key;
if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
$object->address = GETPOST('address', 'alpha');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->country_id = GETPOST('country_id', 'int');