diff options
| author | plegall <plg@piwigo.org> | 2010-04-29 10:44:30 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2010-04-29 10:44:30 +0000 |
| commit | e7487082c32de87efd756bf05ae8539d38cda373 (patch) | |
| tree | 1f3c53b9fbb15fc576755f9af428b3a33178cf76 /themes | |
| parent | ba70c8f5cbd1f22c912a9b44363c246b6eb84dd7 (diff) | |
bug 1484: prevent XSS vulnerability, encode url.
improvement: no need to transmit the REQUEST_URI from PHP, Smarty already
knows it.
git-svn-id: http://piwigo.org/svn/trunk@5990 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'themes')
| -rw-r--r-- | themes/default/template/identification.tpl | 2 | ||||
| -rw-r--r-- | themes/default/template/menubar_identification.tpl | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/themes/default/template/identification.tpl b/themes/default/template/identification.tpl index 1541fd471..1a34744ac 100644 --- a/themes/default/template/identification.tpl +++ b/themes/default/template/identification.tpl @@ -21,7 +21,7 @@ <fieldset> <legend>{'Connection settings'|@translate}</legend> - <input type="hidden" name="redirect" value="{$U_REDIRECT}"> + <input type="hidden" name="redirect" value="{$U_REDIRECT|urlencode}"> <ul> <li> diff --git a/themes/default/template/menubar_identification.tpl b/themes/default/template/menubar_identification.tpl index c0af6047d..b686b9601 100644 --- a/themes/default/template/menubar_identification.tpl +++ b/themes/default/template/menubar_identification.tpl @@ -28,7 +28,7 @@ {if isset($U_LOGIN)} <form method="post" action="{$U_LOGIN}" id="quickconnect"> - <input type="hidden" name="redirect" value="{$U_REDIRECT}"> + <input type="hidden" name="redirect" value="{$smarty.server.REQUEST_URI|urlencode}"> <fieldset> <legend>{'Quick connect'|@translate}</legend> <div> |