security: protect XSS seekers from their own hacks

2025-09-20 18:09:54 +00:00 · 2018-04-10 11:22:14 +02:00 · 2018-04-10 11:22:14 +02:00 · e97ea63c61
commit e97ea63c61
parent 60fb627ad9
3 changed files with 10 additions and 0 deletions
--- a/web/yaamp/modules/renting/login.php
+++ b/web/yaamp/modules/renting/login.php
@ -13,6 +13,9 @@ $this->widget('UniForm');

 $address = getparam('address');
 if($address == 0) $address = '';
+if (!empty($address) && preg_match('/[^A-Za-z0-9]/', $address)) {
+	die;
+}

 echo <<<end

--- a/web/yaamp/modules/site/wallet.php
+++ b/web/yaamp/modules/site/wallet.php
@ -14,6 +14,10 @@ foreach($raw_recents as $addr) {
 }

 $address = getparam('address');
+if (!empty($address) && preg_match('/[^A-Za-z0-9]/', $address)) {
+	// Just to make happy XSS seekers who can hack their own browser html...
+	die;
+}

 $drop_address = getparam('drop');
 if (!empty($drop_address)) {
--- a/web/yaamp/modules/trading/index.php
+++ b/web/yaamp/modules/trading/index.php
@ -10,6 +10,9 @@ JavascriptFile("/extensions/jqplot/plugins/jqplot.highlighter.js");
 $height = '240px';

 $wallet = user()->getState('yaamp-wallet');
+if (!empty($wallet) && preg_match('/[^A-Za-z0-9]/', $wallet)) {
+	die;
+}
 $user = getuserparam($wallet);

 $algo_unit = 'Mh';