CMS MADE SIMPLE FORGE

Snippets

 
Back Back to List

[#7402] Not cleaning input params

avatar
Created By: Giorgio Graffieti (protempore)
Date Submitted: Fri Dec 30 04:49:15 -0500 2011

Assigned To: Jean-Christophe Cuvelier (totophe)
Version: Snippets 0.3
CMSMS Version: 1.10.2
Severity: Major
Resolution: None
State: Open
Summary:
Not cleaning input params
Detailed Description:
The Core admin log is full with lines like:
Snippets: Module is not properly cleaning input params


History

Comments
avatar 
Date: 2014-12-11 14:25
Posted By: John Beatrice (mww)

This also happens for me on all CMSMS versions I've used it on, including
1.11.11.  The admin log will grow up to 40 MB ++ in the mysql database if using
just a few snippets in your templates.  Finally, I decided to patch mine with
the following fix which seems to work.

Inside of Snippets.module.php around line 80. Add SetParameterType() for each
param in use:

  function InitializeFrontend()	{	  
  
	$this->RestrictUnknownParams();
	$this->SetParameterType('name',CLEAN_STRING);
	$this->SetParameterType('module',CLEAN_STRING);
	$this->SetParameterType('action',CLEAN_STRING);
	$this->SetParameterType('output',CLEAN_STRING);
	
	$this->RegisterModulePlugin();	

  }