Include common settings and xssClean output

mattpass · mattpass · commit 47af30e0b68a · 2014-05-20T07:25:15.000+01:00
inlcude_once the settings-common.php file so we have the xssClean
function
Set $req to the xssClean'd value or blank
Also xssClean other strings that are output
diff --git a/lib/headers.php b/lib/headers.php
@@ -1,20 +1,21 @@
 <?php
-// Start a session if we haven't already
-if(!isset($_SESSION)) {@session_start();}
+// Load common functions
+include_once(dirname(__FILE__)."/settings-common.php");
 
 // CSRF synchronizer token pattern, 32 chars
 if (!isset($_SESSION["csrf"])) {
 	$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));	
 }
 
 if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_SESSION["csrf"])) {
+	$req = isset($_REQUEST["csrf"]) ? xssClean($_REQUEST["csrf"],"html") : "";
 	die("Bad CSRF token. Please report the error info at https://github.com/mattpass/ICEcoder so it can be fixed.<br><br>
 		CSRF issue:<br>
-		REQUEST: ".$_REQUEST["csrf"]."<br>
-		SESSION: ".$_SESSION["csrf"]."<br>
-		FILE: ".$_SERVER["SCRIPT_NAME"]."<br>
-		GET: ".var_export($_GET, true)."<br>
-		POST: ".var_export($_POST, true)."<br>
+		REQUEST: ".$req."<br>
+		SESSION: ".xssClean($_SESSION["csrf"],"html")."<br>
+		FILE: ".xssClean($_SERVER["SCRIPT_NAME"],"html")."<br>
+		GET: ".xssClean(var_export($_GET, true),"html")."<br>
+		POST: ".xssClean(var_export($_POST, true),"html")."<br>
 		<br>Many thanks!");
 }
 
