[vhffs-dev] [606] Added some input check to prevent javascript injection.

[subversion@xxxxxxxxx]

Revision: 606
Author:   beuss
Date:     2007-05-14 07:07:48 +0000 (Mon, 14 May 2007)

Log Message:
-----------
Added some input check to prevent javascript injection.

Modified Paths:
--------------
    trunk/vhffs-panel/user/prefs.pl


Modified: trunk/vhffs-panel/user/prefs.pl
===================================================================
--- trunk/vhffs-panel/user/prefs.pl	2007-05-13 19:59:23 UTC (rev 605)
+++ trunk/vhffs-panel/user/prefs.pl	2007-05-14 07:07:48 UTC (rev 606)
@@ -84,9 +84,30 @@
 if( ( ! defined $firstname ) || ( ! defined $lastname ) || ( ! defined $city ) || ( ! defined $mail ) || ( ! defined $zipcode ) || ( ! defined $country ) || ( ! defined $address ) ) {
     $panel->add_error( gettext( "CGI Error!" ) );
 } else {
+    # We don't really care about what user use as firstname, lastname, ... we just
+    # want it not to break everything
+    if( $firstname !~ /^[^<">]+$/ ) {
+        $panel->add_error( gettext( 'Firstname is not correct !') );
+    }
+    if( $lastname !~ /^[^<">]+$/ ) {
+        $panel->add_error( gettext( 'Lastname is not correct !') );
+    }
+    if( $city !~ /^[^<">]+$/ ) {
+        $panel->add_error( gettext( 'City is not correct !') );
+    }
+    if( Vhffs::Functions::valid_mail($mail) < 0 ) {
+        $panel->add_error( gettext( 'Email is not correct !') );
+    }
     if( ! ( $zipcode =~ /^[\w\d\s\-]+$/ ) ) {
         $panel->add_error( gettext( "Zipcode is not correct !" ) );
     }
+    if( $country !~ /^[^<">]+$/ ) {
+        $panel->add_error( gettext( 'Country is not correct !') );
+    }
+    if( $address !~ /^[^<">]+$/ ) {
+        $panel->add_error( gettext( 'Address is not correct !') );
+    }
+
     if( $pass1 ne $pass2 ) {
         $panel->add_error( gettext( "Passwords don't match" ) );
     }