From 3c94eb3f608f9bf0dc8d19583abe273b3a67e5ff Mon Sep 17 00:00:00 2001
From: root
Date: Sun, 20 Apr 2014 18:55:24 +0200
Subject: Fixed XSS vulnerability.

---
 www/update.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'www/update.php')

diff --git a/www/update.php b/www/update.php
index 67a92a1..26c05ca 100644
--- a/www/update.php
+++ b/www/update.php
@@ -2,13 +2,13 @@
 
 function update_db($db){
 
-	$id = SQLite3::escapeString($_POST["id"]);
-	$name = SQLite3::escapeString($_POST["name"]);
-	$adresse = SQLite3::escapeString($_POST["adresse"]);
-	$telefonnummer = SQLite3::escapeString($_POST["telefonnummer"]);
-	$handynummer = SQLite3::escapeString($_POST["handynummer"]);
-	$email = SQLite3::escapeString($_POST["email"]);
-	$bday = SQLite3::escapeString($_POST["geburtstag"]);
+	$id = SQLite3::escapeString(htmlentities($_POST["id"]));
+	$name = SQLite3::escapeString(htmlentities($_POST["name"]));
+	$adresse = SQLite3::escapeString(htmlentities($_POST["adresse"]));
+	$telefonnummer = SQLite3::escapeString(htmlentities($_POST["telefonnummer"]));
+	$handynummer = SQLite3::escapeString(htmlentities($_POST["handynummer"]));
+	$email = SQLite3::escapeString(htmlentities($_POST["email"]));
+	$bday = SQLite3::escapeString(htmlentities($_POST["geburtstag"]));
 
 	if((!empty($id) && !preg_match("/^[0-9]+$/", $id)) || (!empty($telefonnummer) && !preg_match("/^[0-9]+$/", $telefonnummer) )|| (!empty($email) && !preg_match("/^.+@.+$/", $email))){
 		return false;
-- 
cgit v1.2.3