Changeset 795:eab85d2136f6 for admin/posts.php

Timestamp:

02/08/12 21:00:24 (13 years ago)

Author:

Dsls <dsls@…>

Branch:

2.4

Message:

Advisory ID: HTB23074 - 1.3: Sanitize comments.php and posts.php filter parameters

File:

• admin/posts.php (modified) (1 diff)

admin/posts.php

@@ -138 +138 @@
 /* Get posts
 -------------------------------------------------------- */
-$user_id = !empty($_GET['user_id']) ?   $_GET['user_id'] : '';
-$cat_id = !empty($_GET['cat_id']) ?     $_GET['cat_id'] : '';
-$status = isset($_GET['status']) ? $_GET['status'] : '';
-$selected = isset($_GET['selected']) ?  $_GET['selected'] : '';
-$month = !empty($_GET['month']) ?       $_GET['month'] : '';
-$lang = !empty($_GET['lang']) ?         $_GET['lang'] : '';
-$sortby = !empty($_GET['sortby']) ?     $_GET['sortby'] : 'post_dt';
-$order = !empty($_GET['order']) ?       $_GET['order'] : 'desc';
+$user_id = !empty($_GET['user_id']) ?   html::escapeHTML($_GET['user_id']) : '';
+$cat_id = !empty($_GET['cat_id']) ?     html::escapeHTML($_GET['cat_id']) : '';
+$status = isset($_GET['status']) ? html::escapeHTML($_GET['status']) : '';
+$selected = isset($_GET['selected']) ?  html::escapeHTML($_GET['selected']) : '';
+$month = !empty($_GET['month']) ?       html::escapeHTML($_GET['month']) : '';
+$lang = !empty($_GET['lang']) ?         html::escapeHTML($_GET['lang']) : '';
+$sortby = !empty($_GET['sortby']) ?     html::escapeHTML($_GET['sortby']) : 'post_dt';
+$order = !empty($_GET['order']) ?       html::escapeHTML($_GET['order']) : 'desc';
 
 $show_filters = false;