hoo2/InformationSystemsSecurity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply contex-aware encoding to the rest of the program.

Browse Source
This commit is contained in:
Christos Choutouridis 2026-01-11 17:53:04 +02:00
parent 4b5d0dd704
commit a71b4b9bd7
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
passman-dev/php/passman/dashboard.php
View File

@ -99,16 +99,23 @@ $stmt->close();
//echo htmlspecialchars($username); //echo htmlspecialchars($username);
echo "<h3>Entries of " . $username . "</h3>"; $safe_username = htmlspecialchars($username, ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
echo "<h3>Entries of " . $safe_username . "</h3>";
if (!empty($result) && $result->num_rows >= 1) { if (!empty($result) && $result->num_rows >= 1) {
while ($row = $result -> fetch_assoc()) { while ($row = $result -> fetch_assoc()) {
// Escape output to prevent stored XSS (DB content must be treated as untrusted).
$safe_url = htmlspecialchars($row["web_url"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
$safe_user = htmlspecialchars($row["web_username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
$safe_pass = htmlspecialchars($row["web_password"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
$webid_safe = (int)$row["webid"];
echo "<table border=0>"; echo "<table border=0>";
echo "<tr style='background-color: #f4f4f4;'><td colspan=2>" . $row["web_url"] . "</td></tr>" . echo "<tr style='background-color: #f4f4f4;'><td colspan=2>" . $safe_url . "</td></tr>" .
"<tr><td>Username: " . $row["web_username"] . "</td><td>Password: " . $row["web_password"] . "</td></tr>"; "<tr><td>Username: " . $safe_user . "</td><td>Password: " . $safe_pass . "</td></tr>";
echo "<tr><td><form method='POST' style='height: 3px'>" . echo "<tr><td><form method='POST' style='height: 3px'>" .
"<input type='hidden' name='websiteid' value='" . $row["webid"] . "'>" . "<input type='hidden' name='websiteid' value='" . $webid_safe . "'>" .
"<button type='submit' name='delete_website'>Delete</button></form></td></tr>"; "<button type='submit' name='delete_website'>Delete</button></form></td></tr>";
echo "<tr><td colspan=2 style=height: 20px;></td></tr>"; echo "<tr><td colspan=2 style=height: 20px;></td></tr>";