Browse Source

Merge pull request #16 from arnehaber/clean_xss_fix

Fixes a potential cross site scripting (XSS) issue
pull/17/merge
Martin Monperrus 11 years ago
parent
commit
63aef9c2ed
  1. 9
      bibtexbrowser.php

9
bibtexbrowser.php

@ -243,10 +243,11 @@ function _zetDB($bibtex_filenames) {
$ext = pathinfo($bib, PATHINFO_EXTENSION);
// this is a security protection
if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) {
// to automate dectection of faulty links with tools such as webcheck
header('HTTP/1.1 404 Not found');
die('<b>the bib file '.$bib.' does not exist !</b>');
// to automate dectection of faulty links with tools such as webcheck
header('HTTP/1.1 404 Not found');
// escape $bib to prevent XSS
$escapedBib = htmlEntities($bib, ENT_QUOTES);
die('<b>the bib file '.$escapedBib.' does not exist !</b>');
}
} // end for each

Loading…
Cancel
Save