During install, HTML encode POST data for forms.

This commit is contained in:
JustAMacUser 2020-04-21 20:52:19 -04:00
parent 11a9d3bd9b
commit 0fb5267d07
1 changed files with 30 additions and 30 deletions

60
install/index.php Executable file → Normal file
View File

@ -234,28 +234,28 @@
<fieldset> <fieldset>
<label>Username:</label> <label>Username:</label>
<input dojoType="dijit.form.TextBox" required name="DB_USER" size="20" value="<?php echo $DB_USER ?>"/> <input dojoType="dijit.form.TextBox" required name="DB_USER" size="20" value="<?php echo htmlspecialchars($DB_USER) ?>"/>
</fieldset> </fieldset>
<fieldset> <fieldset>
<label>Password:</label> <label>Password:</label>
<input dojoType="dijit.form.TextBox" name="DB_PASS" size="20" type="password" value="<?php echo $DB_PASS ?>"/> <input dojoType="dijit.form.TextBox" name="DB_PASS" size="20" type="password" value="<?php echo htmlspecialchars($DB_PASS) ?>"/>
</fieldset> </fieldset>
<fieldset> <fieldset>
<label>Database name:</label> <label>Database name:</label>
<input dojoType="dijit.form.TextBox" required name="DB_NAME" size="20" value="<?php echo $DB_NAME ?>"/> <input dojoType="dijit.form.TextBox" required name="DB_NAME" size="20" value="<?php echo htmlspecialchars($DB_NAME) ?>"/>
</fieldset> </fieldset>
<fieldset> <fieldset>
<label>Host name:</label> <label>Host name:</label>
<input dojoType="dijit.form.TextBox" name="DB_HOST" size="20" value="<?php echo $DB_HOST ?>"/> <input dojoType="dijit.form.TextBox" name="DB_HOST" size="20" value="<?php echo htmlspecialchars($DB_HOST) ?>"/>
<span class="hint">If needed</span> <span class="hint">If needed</span>
</fieldset> </fieldset>
<fieldset> <fieldset>
<label>Port:</label> <label>Port:</label>
<input dojoType="dijit.form.TextBox" name="DB_PORT" type="number" size="20" value="<?php echo $DB_PORT ?>"/> <input dojoType="dijit.form.TextBox" name="DB_PORT" type="number" size="20" value="<?php echo htmlspecialchars($DB_PORT) ?>"/>
<span class="hint">Usually 3306 for MySQL or 5432 for PostgreSQL</span> <span class="hint">Usually 3306 for MySQL or 5432 for PostgreSQL</span>
</fieldset> </fieldset>
@ -265,7 +265,7 @@
<fieldset> <fieldset>
<label>Tiny Tiny RSS URL:</label> <label>Tiny Tiny RSS URL:</label>
<input dojoType="dijit.form.TextBox" type="url" name="SELF_URL_PATH" placeholder="<?php echo $SELF_URL_PATH; ?>" value="<?php echo $SELF_URL_PATH ?>"/> <input dojoType="dijit.form.TextBox" type="url" name="SELF_URL_PATH" placeholder="<?php echo htmlspecialchars($SELF_URL_PATH); ?>" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/>
</fieldset> </fieldset>
<p><button type="submit" dojoType="dijit.form.Button" class="alt-primary">Test configuration</button></p> <p><button type="submit" dojoType="dijit.form.Button" class="alt-primary">Test configuration</button></p>
@ -336,7 +336,7 @@
$pdo = pdo_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME, $DB_TYPE, $DB_PORT); $pdo = pdo_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME, $DB_TYPE, $DB_PORT);
if (!$pdo) { if (!$pdo) {
print_error("Unable to connect to database using specified parameters (driver: $DB_TYPE)."); print_error("Unable to connect to database using specified parameters (driver: " . htmlspecialchars($DB_TYPE) . ").");
exit; exit;
} }
@ -362,13 +362,13 @@
<form method="post"> <form method="post">
<input type="hidden" name="op" value="installschema"> <input type="hidden" name="op" value="installschema">
<input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/>
<input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/>
<input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/>
<input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/>
<input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/>
<input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/>
<input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/>
<p> <p>
<?php if ($need_confirm) { ?> <?php if ($need_confirm) { ?>
@ -382,13 +382,13 @@
</td><td> </td><td>
<form method="post"> <form method="post">
<input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/>
<input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/>
<input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/>
<input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/>
<input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/>
<input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/>
<input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/>
<input type="hidden" name="op" value="skipschema"> <input type="hidden" name="op" value="skipschema">
@ -440,16 +440,16 @@
<form action="" method="post"> <form action="" method="post">
<input type="hidden" name="op" value="saveconfig"> <input type="hidden" name="op" value="saveconfig">
<input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/>
<input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/>
<input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/>
<input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/>
<input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/>
<input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/>
<input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/>
<?php print "<textarea rows='20' style='width : 100%'>"; <?php print "<textarea rows='20' style='width : 100%'>";
echo make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, echo htmlspecialchars(make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS,
$DB_PORT, $SELF_URL_PATH); $DB_PORT, $SELF_URL_PATH));
print "</textarea>"; ?> print "</textarea>"; ?>
<hr/> <hr/>