diff options
| author | Paul Arthur <paul.arthur@flowerysong.com> | 2013-02-07 15:15:50 -0500 |
|---|---|---|
| committer | Paul Arthur <paul.arthur@flowerysong.com> | 2013-02-07 15:17:24 -0500 |
| commit | 79b6eb98e7506c9074d737c452e90732c6cd4afd (patch) | |
| tree | 6582ef7140953790b0de426e7a8873719cff5492 | |
| parent | 81ff3c5d8125f7841ceca5021e95a7c0ef79ae01 (diff) | |
| download | ampache-79b6eb98e7506c9074d737c452e90732c6cd4afd.tar.gz ampache-79b6eb98e7506c9074d737c452e90732c6cd4afd.tar.bz2 ampache-79b6eb98e7506c9074d737c452e90732c6cd4afd.zip | |
Fix scrub_in to be safer
| -rw-r--r-- | lib/class/auth.class.php | 3 | ||||
| -rw-r--r-- | lib/general.lib.php | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/lib/class/auth.class.php b/lib/class/auth.class.php index 8a23b33f..6e8be4a9 100644 --- a/lib/class/auth.class.php +++ b/lib/class/auth.class.php @@ -122,7 +122,8 @@ class Auth { // doesn't break things. // FIXME: Break things in the future. $hashed_password[] = hash('sha256', $password); - $hashed_password[] = hash('sha256', Dba::escape(scrub_in($password))); + $hashed_password[] = hash('sha256', + Dba::escape(stripslashes(htmlspecialchars(strip_tags($password))))); // Automagically update the password if it's old and busted. if ($row['password'] == $hashed_password[1] && diff --git a/lib/general.lib.php b/lib/general.lib.php index f42c3f87..daba19ec 100644 --- a/lib/general.lib.php +++ b/lib/general.lib.php @@ -70,7 +70,7 @@ function generate_password($length) { function scrub_in($input) { if (!is_array($input)) { - return stripslashes(htmlspecialchars(strip_tags($input))); + return stripslashes(htmlspecialchars(strip_tags($input), ENT_QUOTES, Config::get('site_charset'))); } else { $results = array(); |