Escape variables in mfa module

midasplatform · Dec 8, 2014 · 20b98d3 · 20b98d3
1 parent d249394
commit 20b98d3
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/modules/mfa/views/config/index.phtml b/modules/mfa/views/config/index.phtml
@@ -66,24 +66,24 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/config/config.i
             </div>
             <div class="formElement">
                 <label for="radiusServer">The IP or hostname of the RADIUS server</label>
-                <input id="radiusServer" name="radiusServer" value="<?php echo $this->radiusServer; ?>" autofocus/>
+                <input id="radiusServer" name="radiusServer" value="<?php echo $this->escape($this->radiusServer); ?>" autofocus/>
             </div>
             <div class="formElement">
                 <label for="radiusPort">The port of the RADIUS server</label>
-                <input id="radiusPort" name="radiusPort" value="<?php echo $this->radiusPort; ?>"/>
+                <input id="radiusPort" name="radiusPort" value="<?php echo $this->escape($this->radiusPort); ?>"/>
             </div>
             <div class="formElement">
                 <label for="radiusPassword">The password of the RADIUS server</label>
                 <input type="password" id="radiusPassword" name="radiusPassword"
-                       value="<?php echo $this->radiusPassword; ?>"/>
+                       value="<?php echo $this->escape($this->radiusPassword); ?>"/>
             </div>
             <div class="formElement">
                 <label for="radiusTimeout">The timeout when connecting to the RADIUS server</label>
-                <input id="radiusTimeout" name="radiusTimeout" value="<?php echo $this->radiusTimeout; ?>"/>
+                <input id="radiusTimeout" name="radiusTimeout" value="<?php echo $this->escape($this->radiusTimeout); ?>"/>
             </div>
             <div class="formElement">
                 <label for="radiusMaxTries">The maximum number of tries when connecting to the RADIUS server</label>
-                <input id="radiusMaxTries" name="radiusMaxTries" value="<?php echo $this->radiusMaxTries; ?>"/>
+                <input id="radiusMaxTries" name="radiusMaxTries" value="<?php echo $this->escape($this->radiusMaxTries); ?>"/>
             </div>
         </div>
         <div class="saveButton">

diff --git a/modules/mfa/views/config/usertab.phtml b/modules/mfa/views/config/usertab.phtml
@@ -23,7 +23,7 @@ echo '<script type="text/javascript" src="'.$this->moduleWebroot.'/public/js/con
 <link type="text/css" rel="stylesheet" href="<?php echo $this->moduleWebroot ?>/public/css/config/config.usertab.css"/>
 
 <form class="genericForm" id="mfaConfigForm" method="POST" action="<?php echo $this->webroot ?>/mfa/config/usersubmit">
-    <input type="hidden" name="userId" value="<?php echo $this->user->getKey(); ?>"/>
+    <input type="hidden" name="userId" value="<?php echo $this->escape($this->user->getKey()); ?>"/>
 
     <div class="useOtpCheckboxContainer">
         <input id="useOtpCheckbox" type="checkbox" name="useOtp" <?php if ($this->useOtp) {
@@ -40,7 +40,7 @@ echo '<script type="text/javascript" src="'.$this->moduleWebroot.'/public/js/con
                         if ($this->algorithm == $val) {
                             echo 'selected="selected" ';
                         }
-                        echo 'value="'.$val.'">'.$text.'</option>';
+                        echo 'value="'.$this->escape($val).'">'.$this->escape($text).'</option>';
                     }
                     ?>
                 </select></td>
@@ -49,14 +49,14 @@ echo '<script type="text/javascript" src="'.$this->moduleWebroot.'/public/js/con
         <tr>
             <td>Key:</td>
             <td>
-                <input id="otpSecret" type="text" name="secret" value="<?php echo $this->secret; ?>"/>
+                <input id="otpSecret" type="text" name="secret" value="<?php echo $this->escape($this->secret); ?>"/>
             </td>
         </tr>
 
         <tr>
             <td>Token Length:</td>
             <td>
-                <input id="otpLength" type="text" name="length" value="<?php echo $this->length; ?>"/>
+                <input id="otpLength" type="text" name="length" value="<?php echo $this->escape($this->length); ?>"/>
             </td>
         </tr>
     </table>

diff --git a/modules/mfa/views/login/dialog.phtml b/modules/mfa/views/login/dialog.phtml
@@ -23,7 +23,7 @@ echo '<script type="text/javascript" src="'.$this->moduleWebroot.'/public/js/log
 <link type="text/css" rel="stylesheet" href="<?php echo $this->moduleWebroot ?>/public/css/login/login.dialog.css"/>
 
 <form class="genericForm" id="mfaLoginForm" method="POST" action="<?php echo $this->webroot ?>/mfa/login/submit">
-    <input type="hidden" name="userId" value="<?php echo $this->user->getKey(); ?>"/>
+    <input type="hidden" name="userId" value="<?php echo $this->escape($this->user->getKey()); ?>"/>
 
     <div>
         <input id="otpToken" type="password" name="token"/>