summaryrefslogtreecommitdiff
path: root/classes/pref
diff options
context:
space:
mode:
Diffstat (limited to 'classes/pref')
-rwxr-xr-xclasses/pref/feeds.php88
-rwxr-xr-xclasses/pref/filters.php62
-rw-r--r--classes/pref/labels.php26
-rw-r--r--classes/pref/prefs.php24
-rw-r--r--classes/pref/users.php24
5 files changed, 112 insertions, 112 deletions
diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index 05f6b8c8f..0b5a445f3 100755
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -17,8 +17,8 @@ class Pref_Feeds extends Handler_Protected {
}
function renamecat() {
- $title = $_REQUEST['title'];
- $id = $_REQUEST['id'];
+ $title = clean($_REQUEST['title']);
+ $id = clean($_REQUEST['id']);
if ($title) {
$sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET
@@ -29,14 +29,14 @@ class Pref_Feeds extends Handler_Protected {
private function get_category_items($cat_id) {
- if ($_REQUEST['mode'] != 2)
+ if (clean($_REQUEST['mode']) != 2)
$search = $_SESSION["prefs_feed_search"];
else
$search = "";
// first one is set by API
- $show_empty_cats = $_REQUEST['force_show_empty'] ||
- ($_REQUEST['mode'] != 2 && !$search);
+ $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+ (clean($_REQUEST['mode']) != 2 && !$search);
$items = array();
@@ -103,7 +103,7 @@ class Pref_Feeds extends Handler_Protected {
function makefeedtree() {
- if ($_REQUEST['mode'] != 2)
+ if (clean($_REQUEST['mode']) != 2)
$search = $_SESSION["prefs_feed_search"];
else
$search = "";
@@ -116,7 +116,7 @@ class Pref_Feeds extends Handler_Protected {
$enable_cats = get_pref('ENABLE_FEED_CATS');
- if ($_REQUEST['mode'] == 2) {
+ if (clean($_REQUEST['mode']) == 2) {
if ($enable_cats) {
$cat = $this->feedlist_init_cat(-1);
@@ -193,8 +193,8 @@ class Pref_Feeds extends Handler_Protected {
}
if ($enable_cats) {
- $show_empty_cats = $_REQUEST['force_show_empty'] ||
- ($_REQUEST['mode'] != 2 && !$search);
+ $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+ (clean($_REQUEST['mode']) != 2 && !$search);
$sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories
WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title");
@@ -303,7 +303,7 @@ class Pref_Feeds extends Handler_Protected {
$fl['identifier'] = 'id';
$fl['label'] = 'name';
- if ($_REQUEST['mode'] != 2) {
+ if (clean($_REQUEST['mode']) != 2) {
$fl['items'] = array($root);
} else {
$fl['items'] = $root['items'];
@@ -389,9 +389,9 @@ class Pref_Feeds extends Handler_Protected {
}
function savefeedorder() {
- $data = json_decode($_POST['payload'], true);
+ $data = json_decode(clean($_POST['payload']), true);
- #file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+ #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
if (!is_array($data['items']))
@@ -425,7 +425,7 @@ class Pref_Feeds extends Handler_Protected {
}
function removeicon() {
- $feed_id = $_REQUEST["feed_id"];
+ $feed_id = clean($_REQUEST["feed_id"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
WHERE id = ? AND owner_uid = ?");
@@ -457,7 +457,7 @@ class Pref_Feeds extends Handler_Protected {
}
$icon_file = $tmp_file;
- $feed_id = $_REQUEST["feed_id"];
+ $feed_id = clean($_REQUEST["feed_id"]);
if (is_file($icon_file) && $feed_id) {
if (filesize($icon_file) < 65535) {
@@ -500,7 +500,7 @@ class Pref_Feeds extends Handler_Protected {
global $update_intervals;
- $feed_id = $_REQUEST["id"];
+ $feed_id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND
owner_uid = ?");
@@ -775,7 +775,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
- $feed_ids = $_REQUEST["ids"];
+ $feed_ids = clean($_REQUEST["ids"]);
print_notice("Enable the options you wish to apply using checkboxes on the right:");
@@ -924,32 +924,32 @@ class Pref_Feeds extends Handler_Protected {
function editsaveops($batch) {
- $feed_title = trim($_POST["title"]);
- $feed_url = trim($_POST["feed_url"]);
- $upd_intl = (int) $_POST["update_interval"];
- $purge_intl = (int) $_POST["purge_interval"];
- $feed_id = (int) $_POST["id"]; /* editSave */
- $feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */
- $cat_id = (int) $_POST["cat_id"];
- $auth_login = trim($_POST["auth_login"]);
- $auth_pass = trim($_POST["auth_pass"]);
- $private = checkbox_to_sql_bool($_POST["private"]);
+ $feed_title = trim(clean($_POST["title"]));
+ $feed_url = trim(clean($_POST["feed_url"]));
+ $upd_intl = (int) clean($_POST["update_interval"]);
+ $purge_intl = (int) clean($_POST["purge_interval"]);
+ $feed_id = (int) clean($_POST["id"]); /* editSave */
+ $feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */
+ $cat_id = (int) clean($_POST["cat_id"]);
+ $auth_login = trim(clean($_POST["auth_login"]));
+ $auth_pass = trim(clean($_POST["auth_pass"]));
+ $private = checkbox_to_sql_bool(clean($_POST["private"]));
$include_in_digest = checkbox_to_sql_bool(
- $_POST["include_in_digest"]);
+ clean($_POST["include_in_digest"]));
$cache_images = checkbox_to_sql_bool(
- $_POST["cache_images"]);
+ clean($_POST["cache_images"]));
$hide_images = checkbox_to_sql_bool(
- $_POST["hide_images"]);
+ clean($_POST["hide_images"]));
$always_display_enclosures = checkbox_to_sql_bool(
- $_POST["always_display_enclosures"]);
+ clean($_POST["always_display_enclosures"]));
$mark_unread_on_update = checkbox_to_sql_bool(
- $_POST["mark_unread_on_update"]);
+ clean($_POST["mark_unread_on_update"]));
- $feed_language = trim($_POST["feed_language"]);
+ $feed_language = trim(clean($_POST["feed_language"]));
if (!$batch) {
- if ($_POST["need_auth"] !== 'on') {
+ if (clean($_POST["need_auth"]) !== 'on') {
$auth_login = '';
$auth_pass = '';
}
@@ -1008,7 +1008,7 @@ class Pref_Feeds extends Handler_Protected {
foreach (array_keys($_POST) as $k) {
if ($k != "op" && $k != "method" && $k != "ids") {
- $feed_data[$k] = $_POST[$k];
+ $feed_data[$k] = clean($_POST[$k]);
}
}
@@ -1102,7 +1102,7 @@ class Pref_Feeds extends Handler_Protected {
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
Pref_Feeds::remove_feed($id, $_SESSION["uid"]);
@@ -1112,14 +1112,14 @@ class Pref_Feeds extends Handler_Protected {
}
function removeCat() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed_category($id, $_SESSION["uid"]);
}
}
function addCat() {
- $feed_cat = trim($_REQUEST["cat"]);
+ $feed_cat = trim(clean($_REQUEST["cat"]));
add_feed_category($feed_cat);
}
@@ -1152,7 +1152,7 @@ class Pref_Feeds extends Handler_Protected {
onclick=\"showInactiveFeeds()\">" .
__("Inactive feeds") . "</button>";
- $feed_search = $_REQUEST["search"];
+ $feed_search = clean($_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_feed_search"] = $feed_search;
@@ -1675,10 +1675,10 @@ class Pref_Feeds extends Handler_Protected {
}
function batchAddFeeds() {
- $cat_id = $_REQUEST['cat'];
- $feeds = explode("\n", $_REQUEST['feeds']);
- $login = $_REQUEST['login'];
- $pass = trim($_REQUEST['pass']);
+ $cat_id = clean($_REQUEST['cat']);
+ $feeds = explode("\n", clean($_REQUEST['feeds']));
+ $login = clean($_REQUEST['login']);
+ $pass = trim(clean($_REQUEST['pass']));
foreach ($feeds as $feed) {
$feed = trim($feed);
@@ -1714,8 +1714,8 @@ class Pref_Feeds extends Handler_Protected {
}
function regenFeedKey() {
- $feed_id = $_REQUEST['id'];
- $is_cat = $_REQUEST['is_cat'] == "true";
+ $feed_id = clean($_REQUEST['id']);
+ $is_cat = clean($_REQUEST['is_cat']) == "true";
$new_key = $this->update_feed_access_key($feed_id, $is_cat);
diff --git a/classes/pref/filters.php b/classes/pref/filters.php
index 1ff9a3723..74aecd309 100755
--- a/classes/pref/filters.php
+++ b/classes/pref/filters.php
@@ -16,9 +16,9 @@ class Pref_Filters extends Handler_Protected {
}
function savefilterorder() {
- $data = json_decode($_POST['payload'], true);
+ $data = json_decode(clean($_POST['payload']), true);
- #file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+ #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
if (!is_array($data['items']))
@@ -46,14 +46,14 @@ class Pref_Filters extends Handler_Protected {
}
function testFilterDo() {
- $offset = (int) $_REQUEST["offset"];
- $limit = (int) $_REQUEST["limit"];
+ $offset = (int) clean($_REQUEST["offset"]);
+ $limit = (int) clean($_REQUEST["limit"]);
$filter = array();
$filter["enabled"] = true;
- $filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
- $filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]);
+ $filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+ $filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$filter["rules"] = array();
$filter["actions"] = array("dummy-action");
@@ -68,7 +68,7 @@ class Pref_Filters extends Handler_Protected {
$scope_qparts = array();
$rctr = 0;
- foreach ($_REQUEST["rule"] AS $r) {
+ foreach (clean($_REQUEST["rule"]) AS $r) {
$rule = json_decode($r, true);
if ($rule && $rctr < 5) {
@@ -354,7 +354,7 @@ class Pref_Filters extends Handler_Protected {
function edit() {
- $filter_id = $_REQUEST["id"];
+ $filter_id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2
WHERE id = ? AND owner_uid = ?");
@@ -533,7 +533,7 @@ class Pref_Filters extends Handler_Protected {
}
private function getRuleName($rule) {
- if (!$rule) $rule = json_decode($_REQUEST["rule"], true);
+ if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true);
$feeds = $rule["feed_id"];
$feeds_fmt = [];
@@ -573,7 +573,7 @@ class Pref_Filters extends Handler_Protected {
}
function printRuleName() {
- print $this->getRuleName(json_decode($_REQUEST["rule"], true));
+ print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true));
}
private function getActionName($action) {
@@ -611,19 +611,19 @@ class Pref_Filters extends Handler_Protected {
}
function printActionName() {
- print $this->getActionName(json_decode($_REQUEST["action"], true));
+ print $this->getActionName(json_decode(clean($_REQUEST["action"]), true));
}
function editSave() {
- if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+ if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
return $this->testFilter();
}
- $filter_id = $_REQUEST["id"];
- $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
- $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
- $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
- $title = $_REQUEST["title"];
+ $filter_id = clean($_REQUEST["id"]);
+ $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+ $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+ $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
+ $title = clean($_REQUEST["title"]);
$this->pdo->beginTransaction();
@@ -642,7 +642,7 @@ class Pref_Filters extends Handler_Protected {
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
$ids_qmarks = arr_qmarks($ids);
$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks)
@@ -659,8 +659,8 @@ class Pref_Filters extends Handler_Protected {
$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?");
$sth->execute([$filter_id]);
- if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = [];
- if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = [];
+ if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = [];
+ if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = [];
if ($filter_id) {
/* create rules */
@@ -668,7 +668,7 @@ class Pref_Filters extends Handler_Protected {
$rules = array();
$actions = array();
- foreach ($_REQUEST["rule"] as $rule) {
+ foreach (clean($_REQUEST["rule"]) as $rule) {
$rule = json_decode($rule, true);
unset($rule["id"]);
@@ -677,7 +677,7 @@ class Pref_Filters extends Handler_Protected {
}
}
- foreach ($_REQUEST["action"] as $action) {
+ foreach (clean($_REQUEST["action"]) as $action) {
$action = json_decode($action, true);
unset($action["id"]);
@@ -729,14 +729,14 @@ class Pref_Filters extends Handler_Protected {
}
function add() {
- if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+ if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
return $this->testFilter();
}
- $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
- $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
- $title = $_REQUEST["title"];
- $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
+ $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+ $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+ $title = clean($_REQUEST["title"]);
+ $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$this->pdo->beginTransaction();
@@ -762,7 +762,7 @@ class Pref_Filters extends Handler_Protected {
function index() {
- $filter_search = $_REQUEST["search"];
+ $filter_search = clean($_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@@ -948,7 +948,7 @@ class Pref_Filters extends Handler_Protected {
}
function newrule() {
- $rule = json_decode($_REQUEST["rule"], true);
+ $rule = json_decode(clean($_REQUEST["rule"]), true);
if ($rule) {
$reg_exp = htmlspecialchars($rule["reg_exp"]);
@@ -1022,7 +1022,7 @@ class Pref_Filters extends Handler_Protected {
}
function newaction() {
- $action = json_decode($_REQUEST["action"], true);
+ $action = json_decode(clean($_REQUEST["action"]), true);
if ($action) {
$action_param = $action["action_param"];
@@ -1159,7 +1159,7 @@ class Pref_Filters extends Handler_Protected {
}
function join() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
if (count($ids) > 1) {
$base_id = array_shift($ids);
diff --git a/classes/pref/labels.php b/classes/pref/labels.php
index 8f1f70be9..38ec850a6 100644
--- a/classes/pref/labels.php
+++ b/classes/pref/labels.php
@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
}
function edit() {
- $label_id = $_REQUEST['id'];
+ $label_id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
id = ? AND owner_uid = ?");
@@ -119,11 +119,11 @@ class Pref_Labels extends Handler_Protected {
}
function colorset() {
- $kind = $_REQUEST["kind"];
- $ids = explode(',', $_REQUEST["ids"]);
- $color = $_REQUEST["color"];
- $fg = $_REQUEST["fg"];
- $bg = $_REQUEST["bg"];
+ $kind = clean($_REQUEST["kind"]);
+ $ids = explode(',', clean($_REQUEST["ids"]));
+ $color = clean($_REQUEST["color"]);
+ $fg = clean($_REQUEST["fg"]);
+ $bg = clean($_REQUEST["bg"]);
foreach ($ids as $id) {
@@ -154,7 +154,7 @@ class Pref_Labels extends Handler_Protected {
}
function colorreset() {
- $ids = explode(',', $_REQUEST["ids"]);
+ $ids = explode(',', clean($_REQUEST["ids"]));
foreach ($ids as $id) {
$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
@@ -174,8 +174,8 @@ class Pref_Labels extends Handler_Protected {
function save() {
- $id = $_REQUEST["id"];
- $caption = trim($_REQUEST["caption"]);
+ $id = clean($_REQUEST["id"]);
+ $caption = trim(clean($_REQUEST["caption"]));
$this->pdo->beginTransaction();
@@ -206,7 +206,7 @@ class Pref_Labels extends Handler_Protected {
$sth->execute([$caption, $old_caption, $_SESSION['uid']]);
- print $_REQUEST["value"];
+ print clean($_REQUEST["value"]);
} else {
print $old_caption;
}
@@ -221,7 +221,7 @@ class Pref_Labels extends Handler_Protected {
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
Labels::remove($id, $_SESSION["uid"]);
@@ -230,8 +230,8 @@ class Pref_Labels extends Handler_Protected {
}
function add() {
- $caption = $_REQUEST["caption"];
- $output = $_REQUEST["output"];
+ $caption = clean($_REQUEST["caption"]);
+ $output = clean($_REQUEST["output"]);
if ($caption) {
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 5d999bf3d..5fc76b32c 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -60,9 +60,9 @@ class Pref_Prefs extends Handler_Protected {
function changepassword() {
- $old_pw = $_POST["old_password"];
- $new_pw = $_POST["new_password"];
- $con_pw = $_POST["confirm_password"];
+ $old_pw = clean($_POST["old_password"]);
+ $new_pw = clean($_POST["new_password"]);
+ $con_pw = clean($_POST["confirm_password"]);
if ($old_pw == "") {
print "ERROR: ".format_error("Old password cannot be blank.");
@@ -89,7 +89,7 @@ class Pref_Prefs extends Handler_Protected {
}
function saveconfig() {
- $boolean_prefs = explode(",", $_POST["boolean_prefs"]);
+ $boolean_prefs = explode(",", clean($_POST["boolean_prefs"]));
foreach ($boolean_prefs as $pref) {
if (!isset($_POST[$pref])) $_POST[$pref] = 'false';
@@ -129,8 +129,8 @@ class Pref_Prefs extends Handler_Protected {
function changeemail() {
- $email = $_POST["email"];
- $full_name = $_POST["full_name"];
+ $email = clean($_POST["email"]);
+ $full_name = clean($_POST["full_name"]);
$active_uid = $_SESSION["uid"];
$sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?,
@@ -880,8 +880,8 @@ class Pref_Prefs extends Handler_Protected {
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
- $password = $_REQUEST["password"];
- $otp = $_REQUEST["otp"];
+ $password = clean($_REQUEST["password"]);
+ $otp = clean($_REQUEST["otp"]);
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
@@ -930,7 +930,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpdisable() {
- $password = $_REQUEST["password"];
+ $password = clean($_REQUEST["password"]);
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
@@ -948,8 +948,8 @@ class Pref_Prefs extends Handler_Protected {
}
function setplugins() {
- if (is_array($_REQUEST["plugins"]))
- $plugins = join(",", $_REQUEST["plugins"]);
+ if (is_array(clean($_REQUEST["plugins"])))
+ $plugins = join(",", clean($_REQUEST["plugins"]));
else
$plugins = "";
@@ -957,7 +957,7 @@ class Pref_Prefs extends Handler_Protected {
}
function clearplugindata() {
- $name = $_REQUEST["name"];
+ $name = clean($_REQUEST["name"]);
PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name));
}
diff --git a/classes/pref/users.php b/classes/pref/users.php
index b23950bd3..d65af1680 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -25,7 +25,7 @@ class Pref_Users extends Handler_Protected {
print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
- $id = (int) $_REQUEST["id"];
+ $id = (int) clean($_REQUEST["id"]);
print_hidden("id", "$id");
print_hidden("op", "pref-users");
@@ -108,7 +108,7 @@ class Pref_Users extends Handler_Protected {
}
function userdetails() {
- $id = (int) $_REQUEST["id"];
+ $id = (int) clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT login,
".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
@@ -177,11 +177,11 @@ class Pref_Users extends Handler_Protected {
}
function editSave() {
- $login = trim($_REQUEST["login"]);
- $uid = $_REQUEST["id"];
- $access_level = (int) $_REQUEST["access_level"];
- $email = trim($_REQUEST["email"]);
- $password = $_REQUEST["password"];
+ $login = trim(clean($_REQUEST["login"]));
+ $uid = clean($_REQUEST["id"]);
+ $access_level = (int) clean($_REQUEST["access_level"]);
+ $email = trim(clean($_REQUEST["email"]));
+ $password = clean($_REQUEST["password"]);
if ($password) {
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@@ -199,7 +199,7 @@ class Pref_Users extends Handler_Protected {
}
function remove() {
- $ids = explode(",", $_REQUEST["ids"]);
+ $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) {
if ($id != $_SESSION["uid"] && $id != 1) {
@@ -217,7 +217,7 @@ class Pref_Users extends Handler_Protected {
function add() {
- $login = trim($_REQUEST["login"]);
+ $login = trim(clean($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@@ -316,7 +316,7 @@ class Pref_Users extends Handler_Protected {
}
function resetPass() {
- $uid = $_REQUEST["id"];
+ $uid = clean($_REQUEST["id"]);
Pref_Users::resetUserPassword($uid, true);
}
@@ -329,7 +329,7 @@ class Pref_Users extends Handler_Protected {
print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
- $user_search = trim($_REQUEST["search"]);
+ $user_search = trim(clean($_REQUEST["search"]));
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search;
@@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected {
__('Search')."</button>
</div>";
- $sort = $_REQUEST["sort"];
+ $sort = clean($_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "login";
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 05:35:43 +0000