[Mapbender-commits] r8930 - trunk/mapbender/http/plugins

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Wed Jun 25 02:21:48 PDT 2014 

Author: armin11
Date: 2014-06-25 02:21:48 -0700 (Wed, 25 Jun 2014)
New Revision: 8930

Modified:
   trunk/mapbender/http/plugins/mb_downloadFeedClient.php
   trunk/mapbender/http/plugins/mb_downloadFeedServer.php
Log:
Some further hardening against xss

Modified: trunk/mapbender/http/plugins/mb_downloadFeedClient.php
===================================================================
--- trunk/mapbender/http/plugins/mb_downloadFeedClient.php	2014-06-25 08:42:15 UTC (rev 8929)
+++ trunk/mapbender/http/plugins/mb_downloadFeedClient.php	2014-06-25 09:21:48 UTC (rev 8930)
@@ -118,7 +118,7 @@
 	<p>    
 		<form id="service_feed_form">
 		<label for="download_feed_url"><?php echo _mb("ATOM Feed url");?></label>
-		<input name="download_feed_url" id="download_feed_url" class="required" <?php if (isset($url)) {echo " value=\"".$url."\"";} else { echo " value=\"\"";}?>/><img src="../img/gnome/process-stop.png" width="20px" onclick="$('#download_feed_url').val('');"/><input type="button" title="Get Feed" id="download_feed_button" value="Get Feed Content"/>
+		<input name="download_feed_url" id="download_feed_url" class="required" <?php if (isset($url)) {echo " value=\"".htmlspecialchars($url)."\"";} else { echo " value=\"\"";}?>/><img src="../img/gnome/process-stop.png" width="20px" onclick="$('#download_feed_url').val('');"/><input type="button" title="Get Feed" id="download_feed_button" value="Get Feed Content"/>
 		</form>
 	</p>
 	</div>

Modified: trunk/mapbender/http/plugins/mb_downloadFeedServer.php
===================================================================
--- trunk/mapbender/http/plugins/mb_downloadFeedServer.php	2014-06-25 08:42:15 UTC (rev 8929)
+++ trunk/mapbender/http/plugins/mb_downloadFeedServer.php	2014-06-25 09:21:48 UTC (rev 8930)
@@ -61,12 +61,13 @@
 
 switch ($_REQUEST['method']) {
 	case "getServiceFeedObjectFromUrl" :
-		$serviceFeedUrl = $_REQUEST['url'];
+		$serviceFeedUrl = htmlspecialchars_decode($_REQUEST['url']);//htmlspecialchars_decode is done to prohibit xss vulnerability of the client, which allows url as a get parameter
 		$logUrl = date("F j, Y, g:i a",time())." - ".$serviceFeedUrl;
 		$e = new mb_exception("inspire: ".$logUrl);
 		logit($logUrl);
 			
 		//test url
+		
 		//get feed from remote server
 		$feedConnector = new connector($serviceFeedUrl);
 		$feedConnector->set("timeOut", "5");

More information about the Mapbender_commits mailing list