- Timestamp:
- 11/30/11 18:11:03 (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/dns.cgi
r173 r174 289 289 290 290 $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg}; 291 $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg}; 291 if ($session->param('errmsg')) { 292 $page->param(errmsg => $session->param('errmsg')); 293 $session->clear('errmsg'); 294 } 292 295 293 296 $page->param(curpage => $webvar{page}); 294 # if ($webvar{del_failed}) {295 # $page->param(del_failed => 1);296 # $page->param(errmsg => $webvar{errmsg});297 # }298 297 299 298 listdomains(); … … 306 305 fill_grouplist("grouplist"); 307 306 308 if ($webvar{add_failed}) { 307 if ($session->param('add_failed')) { 308 $session->clear('add_failed'); 309 309 $page->param(add_failed => 1); 310 $page->param(errmsg => $webvar{errmsg}); 310 $page->param(errmsg => $session->param('errmsg')); 311 $session->clear('errmsg'); 311 312 $page->param(domain => $webvar{domain}); 312 313 } … … 319 320 # security check - does the user have permission to access this entity? 320 321 if (!check_scope(id => $webvar{group}, type => 'group')) { 321 changepage(page => "newdomain", add_failed => 1, domain => $webvar{domain}, 322 $session->param('add_failed', 1); 323 ##fixme: domain a security risk for XSS? 324 changepage(page => "newdomain", domain => $webvar{domain}, 322 325 errmsg => "You do not have permission to add a domain to the requested group"); 323 326 } … … 330 333 } else { 331 334 logaction(0, $session->param("username"), $webvar{group}, "Failed adding domain $webvar{domain} ($msg)"); 332 changepage(page => "newdomain", add_failed => 1, domain => $webvar{domain}, errmsg => $msg); 335 $session->param('add_failed', 1); 336 ##fixme: domain a security risk for XSS? 337 changepage(page => "newdomain", domain => $webvar{domain}, errmsg => $msg); 333 338 } 334 339 … … 431 436 432 437 $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg}; 433 $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg}; 438 if ($session->param('errmsg')) { 439 $page->param(errmsg => $session->param('errmsg')); 440 $session->clear('errmsg'); 441 } 434 442 435 443 } # close "you can't edit default records" check … … 733 741 734 742 $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg}; 735 $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg}; 743 if ($session->param('errmsg')) { 744 $page->param(errmsg => $session->param('errmsg')); 745 $session->clear('errmsg'); 746 } 736 747 $page->param(curpage => $webvar{page}); 737 748 … … 1015 1026 $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg}; 1016 1027 $page->param(warnmsg => $webvar{warnmsg}) if $webvar{warnmsg}; 1017 $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg}; 1028 if ($session->param('errmsg')) { 1029 $page->param(errmsg => $session->param('errmsg')); 1030 $session->clear('errmsg'); 1031 } 1018 1032 $page->param(curpage => $webvar{page}); 1019 1033 … … 1505 1519 sub changepage { 1506 1520 my %params = @_; # think this works the way I want... 1521 1522 # cross-site scripting fixup. instead of passing error messages by URL/form 1523 # variable, put them in the session where the nasty user can't meddle. 1524 if ($params{errmsg}) { 1525 $session->param('errmsg', $params{errmsg}); 1526 delete $params{errmsg}; 1527 } 1507 1528 1508 1529 # handle user check
Note:
See TracChangeset
for help on using the changeset viewer.