Fix persistent XSS vulnerabilities in AJAX editing

Based on merge request #22 from Jean-Lou Hau, but does the escaping for everything and in a different place.
author: Paul Arthur <paul.arthur@flowerysong.com> 2013-02-07 15:20:44 -0500
committer: Paul Arthur <paul.arthur@flowerysong.com> 2013-02-07 15:20:44 -0500
commit: 266f7cea9bd51df298cc45fbb8abb39a1375acd2 (patch)
tree: f35aef5619aa5fe9d099dd46af91a81722b9f96e /server/ajax.server.php
parent: 79b6eb98e7506c9074d737c452e90732c6cd4afd (diff)
download: ampache-266f7cea9bd51df298cc45fbb8abb39a1375acd2.tar.gz
ampache-266f7cea9bd51df298cc45fbb8abb39a1375acd2.tar.bz2
ampache-266f7cea9bd51df298cc45fbb8abb39a1375acd2.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/server/ajax.server.php b/server/ajax.server.php
index 52175876..80609567 100644
--- a/server/ajax.server.php
+++ b/server/ajax.server.php
@@ -158,6 +158,10 @@ switch ($_REQUEST['action']) {
         ob_end_clean();
     break;
     case 'edit_object':
+        // Scrub the data
+        foreach ($_POST as $key => $data) {
+            $_POST[$key] = scrub_in($data);
+        }
 
         $level = '50';
author	Paul Arthur <paul.arthur@flowerysong.com>	2013-02-07 15:20:44 -0500
committer	Paul Arthur <paul.arthur@flowerysong.com>	2013-02-07 15:20:44 -0500
commit	266f7cea9bd51df298cc45fbb8abb39a1375acd2 (patch)
tree	f35aef5619aa5fe9d099dd46af91a81722b9f96e /server/ajax.server.php
parent	79b6eb98e7506c9074d737c452e90732c6cd4afd (diff)
download	ampache-266f7cea9bd51df298cc45fbb8abb39a1375acd2.tar.gz ampache-266f7cea9bd51df298cc45fbb8abb39a1375acd2.tar.bz2 ampache-266f7cea9bd51df298cc45fbb8abb39a1375acd2.zip