#446 continuing: sanitizing parameters...

SVN:trunk[1451]

application/ajaxwebpage.class.inc.php

@@ -45,11 +45,12 @@ class ajax_page extends WebPage
     {
         parent::__construct($s_title);
         $this->m_sReadyScript = "";
-		$this->add_header("Content-type: text/html; charset=utf-8");
+		//$this->add_header("Content-type: text/html; charset=utf-8");
 		$this->add_header("Cache-control: no-cache");
 		$this->m_sCurrentTabContainer = '';
         $this->m_sCurrentTab = '';
 		$this->m_aTabs = array();
+		$this->sContentType = 'text/html';
 		$this->sContentDisposition = 'inline';
     }	
 
@@ -97,10 +98,6 @@ class ajax_page extends WebPage
     	{
 			$this->add_header('Content-type: '.$this->sContentType);
     	}
-    	else
-    	{
-			$this->add_header('Content-type: text/html');
-    	}
     	if (!empty($this->sContentDisposition))
     	{
 			$this->add_header('Content-Disposition: '.$this->sContentDisposition.'; filename="'.$this->sContentFileName.'"');

application/cmdbabstract.class.inc.php

@@ -1388,8 +1388,8 @@ EOF
 		$sHtml .= "<form id=\"formOQL{$iSearchFormId}\"><table style=\"width:80%;\"><tr style=\"vertical-align:top\">\n";
 		$sHtml .= "<td style=\"text-align:right\"><label>SELECT&nbsp;</label><select name=\"oql_class\">";
 		$aClasses = MetaModel::EnumChildClasses($sClassName, ENUM_CHILD_CLASSES_ALL);
-		$sSelectedClass = utils::ReadParam('oql_class', $sClassName);
-		$sOQLClause = utils::ReadParam('oql_clause', '');
+		$sSelectedClass = utils::ReadParam('oql_class', $sClassName, false, 'class');
+		$sOQLClause = utils::ReadParam('oql_clause', '', false, 'raw_data');
 		asort($aClasses);
 		foreach($aClasses as $sChildClass)
 		{
@@ -2339,7 +2339,7 @@ EOF
 	{
 		$aErrors = array();
 
-		$aRawValues = utils::ReadParam($sArgName, array());
+		$aRawValues = utils::ReadParam($sArgName, array(), '', 'raw_data');
 
 		$aValues = array();
 		foreach($this->GetWriteableAttList($aAttList, $aErrors) as $sAttCode => $oAttDef)

application/itopwebpage.class.inc.php

@@ -629,7 +629,7 @@ EOF
 		}
 
 		// Render the text of the global search form
-		$sText = htmlentities(utils::ReadParam('text', ''), ENT_QUOTES, 'UTF-8');
+		$sText = htmlentities(utils::ReadParam('text', '', false, 'raw_data'), ENT_QUOTES, 'UTF-8');
 		$sOnClick = "";
 		if (empty($sText))
 		{

application/portalwebpage.class.inc.php

@@ -427,7 +427,7 @@ EOF
 			//
 			$this->add('<span style="white-space: nowrap;padding:5px;display:inline-block;">');
 			$sFilterValue = '';
-			$sFilterValue = utils::ReadParam($sPrefix.$sFieldName, '');
+			$sFilterValue = utils::ReadParam($sPrefix.$sFieldName, '', false, 'raw_data');
 			$sFilterOpCode = null; // Use the default 'loose' OpCode
 			$oAttDef = MetaModel::GetAttributeDef($sClass, $sAttSpec);
 			if ($oAttDef->IsExternalKey())
@@ -530,14 +530,14 @@ EOF
 	 * @input string $sMethod Either get or post
 	 * @return Hash Array of name => value corresponding to the parameters that were passed to the page
 	 */
-	public function ReadAllParams($sParamList, $sPrefix = 'attr_', $sMethod = 'get')
+	public function ReadAllParams($sParamList, $sPrefix = 'attr_')
 	{
 		$aParams = explode(',', $sParamList);
 		$aValues = array();
 		foreach($aParams as $sName)
 		{
 			$sName = trim($sName);
-			$value = utils::ReadParam($sPrefix.$sName, null, $sMethod);
+			$value = utils::ReadParam($sPrefix.$sName, null, false, 'raw_data');
 			if (!is_null($value))
 			{
 				$aValues[$sName] = $value;
@@ -658,8 +658,8 @@ EOF
 	 */
 	public function FindObjectFromArgs($aAllowedClasses = null)
 	{
-		$sClass = utils::ReadParam('class', '');
-		$iId = utils::ReadParam('id', 0);
+		$sClass = utils::ReadParam('class', '', true, 'class');
+		$iId = utils::ReadParam('id', 0, true, 'integer');
 	
 		if (empty($sClass))
 		{
@@ -781,7 +781,7 @@ EOF
 
 	protected function GetWizardStepHistory()
 	{
-		$sRawHistory = trim(utils::ReadParam('step_history', ''));
+		$sRawHistory = trim(utils::ReadParam('step_history', '', false, 'raw_data'));
 		if (strlen($sRawHistory) == 0)
 		{
 			return array();