added note about preventing reflected XSS vulnerabilities.

author cash <cash.costello@gmail.com>

Sat, 2 Jul 2011 13:39:08 +0000 (09:39 -0400)

committer cash <cash.costello@gmail.com>

Sat, 2 Jul 2011 13:39:08 +0000 (09:39 -0400)
author cash <cash.costello@gmail.com>
Sat, 2 Jul 2011 13:39:08 +0000 (09:39 -0400)
committer cash <cash.costello@gmail.com>
Sat, 2 Jul 2011 13:39:08 +0000 (09:39 -0400)
diff --git a/engine/lib/input.php b/engine/lib/input.php

index 84752bc7d67793b733ab9f05bba8596cb2156ae5..56ec214dc6ff0dac97de6025a47dbbd4008935f6 100644 (file)
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
  /**
   * Get some input from variables passed on the GET or POST line.
   *
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
   * Note: this function does not handle nested arrays (ex: form input of param[m][n])
   * because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
   *
   * @param string $variable      The variable we want to return.
   * @param mixed  $default       A default value for the variable if it is not found.
author	cash <cash.costello@gmail.com>
	Sat, 2 Jul 2011 13:39:08 +0000 (09:39 -0400)
committer	cash <cash.costello@gmail.com>
	Sat, 2 Jul 2011 13:39:08 +0000 (09:39 -0400)