Skip to content
This repository was archived by the owner on Dec 12, 2018. It is now read-only.

No Cross Site Scripting #16

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+32 −0
Open

No Cross Site Scripting #16

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9a94fe4
Do not allow Cross Site Scripting attacks
mschultheiss May 10, 2013
f7404c0
Update mongodbadmin.php
mschultheiss May 24, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions mongodbadmin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,9 @@ function renderDocumentPreview($mongo, $document)
{
$document = prepareMongoDBDocumentForEdit($document);
$preview = linkDocumentReferences($mongo, $document);
$preview = secureOutput($preview);
$preview = print_r($preview, true);

return $preview;
}

Expand Down Expand Up @@ -161,6 +163,36 @@ function prepareValueForMongoDB($value)
return $prepared;
}


/**
* Do not execute Javascript like <script>alert("XSS Attack");</script>
*
* @param string $value
* @return string $prepared
*/

function secureOutput($value)
{
$prepared = array();
foreach ($value as $key => $value) {

if ($key === '_id') {
$value = (string) $value;
}
if ($key === '$id') {
$value = (string) $value;
}
if (is_array($value)) {
$prepared[$key] = secureOutput($value);
} else {
$prepared[$key] = htmlentities ($value, ENT_QUOTES, "UTF-8");;
}
}
return $prepared;
}



/**
* Prepare a MongoDB document for the textarea so it can be edited.
*
Expand Down