fixed XSS

2012-03-03 19:19:55 +00:00 · 2012-03-03 19:19:55 +00:00 · e2a912583d
parent 207e7a443f
commit e2a912583d
2 changed files with 10 additions and 10 deletions
--- a/lam/templates/3rdParty/pla/htdocs/export.php
+++ b/lam/templates/3rdParty/pla/htdocs/export.php
@ -29,12 +29,12 @@ if ($request['file']) {
 	header('Content-type: application/download');
 	header(sprintf('Content-Disposition: inline; filename="%s.%s"','export',$types['extension'].($request['export']->isCompressed() ? '.gz' : '')));
-	$request['export']->export();
+	echo $request['export']->export();
 	die();
 } else {
 	print '<span style="font-size: 14px; font-family: courier;"><pre>';
-	$request['export']->export();
+	echo htmlspecialchars($request['export']->export());
 	print '</pre></span>';
 }
 ?>
--- a/lam/templates/3rdParty/pla/lib/export_functions.php
+++ b/lam/templates/3rdParty/pla/lib/export_functions.php
@ -318,9 +318,9 @@ class ExportCSV extends Export {
 		}
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 	/**
@ -422,9 +422,9 @@ class ExportDSML extends Export {
 		$output .= sprintf('</dsml>%s',$this->br);
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
@ -500,9 +500,9 @@ class ExportLDIF extends Export {
 		}
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 	/**
@ -627,9 +627,9 @@ class ExportVCARD extends Export {
 		}
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
 ?>