forked from webpwnized/mutillidae
-
Notifications
You must be signed in to change notification settings - Fork 0
/
set-background-color.php
executable file
·129 lines (113 loc) · 3.85 KB
/
set-background-color.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
try {
switch ($_SESSION["security-level"]){
case "0": // This code is insecure
$lEnableJavaScriptValidation = FALSE;
$lEnableHTMLControls = FALSE;
$lEncodeBackgroundColor = FALSE;
break;
case "1": // This code is insecure
$lEnableJavaScriptValidation = TRUE;
$lEnableHTMLControls = TRUE;
$lEncodeBackgroundColor = FALSE;
break;
case "2":
case "3":
case "4":
case "5": // This code is fairly secure
$lEnableJavaScriptValidation = TRUE;
$lEnableHTMLControls = TRUE;
$lEncodeBackgroundColor = TRUE;
break;
}// end switch
}catch (Exception $e){
echo $CustomErrorHandler->FormatError($e, "Error setting security level");
}// end try
if (isset($_POST["set-background-color-php-submit-button"])){
try{
if ($lEncodeBackgroundColor){
/* Protect against one form of patameter pollution
* by grabbing inputs only from POST parameters. */
/* Protect against XSS by output encoding */
$lBackgroundColor = $Encoder->encodeForCSS($_POST["background_color"]);
$lBackgroundColorText = $Encoder->encodeForHTML($_POST["background_color"]);
}else{
$lBackgroundColor = $lBackgroundColorText = $_REQUEST["background_color"];
};
}catch (Exception $e){
echo $CustomErrorHandler->FormatError($e, "Input: " . $lBackgroundColor);
}// end try
}else{
$lBackgroundColor = $lBackgroundColorText = "eecccc";
}// end if (isset($_POST))
?>
<script type="text/javascript">
var onSubmitOfForm = function(/* HTMLForm */ theForm){
try{
<?php
if($lEnableJavaScriptValidation){
echo 'var lValidateInput = "TRUE"' . PHP_EOL;
}else{
echo 'var lValidateInput = "FALSE"' . PHP_EOL;
}// end if
?>
if(lValidateInput == "TRUE"){
var lDigits = /[0-9]{6}/;
if (theForm.id_background_color.value.search(lDigits) != 0){
alert('The backgroud color must be 6 hexidecimal digits specified as RRGGBB where R is red, G is green and B is blue');
return false;
};// end if
};// end if(lValidateInput)
return true;
}catch(e){
alert("Error: " + e.message);
};// end catch
};// end function onSubmitOfForm(/*HTMLFormElement*/ theForm)
</script>
<div class="page-title">Set Background Color</div>
<?php include_once (__SITE_ROOT__.'/includes/back-button.inc'); ?>
<?php include_once (__SITE_ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
<form action="index.php?page=set-background-color.php"
method="post"
enctype="application/x-www-form-urlencoded"
onsubmit="return onSubmitOfForm(this);"
style="background-color:#<?php echo $lBackgroundColor; ?>"
>
<table>
<tr id="id-bad-cred-tr" style="display: none;">
<td colspan="2" class="error-message">
Error: Invalid Input
</td>
</tr>
<tr><td> </td></tr>
<tr>
<td colspan="2" class="form-header">Please enter the background color you would like to see<br/><br/>Enter the color in RRGGBB format<br/>(Example: Red = FF0000)</td>
</tr>
<tr><td> </td></tr>
<tr>
<td class="label">Background Color</td>
<td>
<input type="text" name="background_color" id="id_background_color" size="6" autofocus="autofocus"
<?php
if ($lEnableHTMLControls) {
echo('minlength="6" maxlength="6" required="required"');
}// end if
?>
/>
</td>
</tr>
<tr><td> </td></tr>
<tr>
<td colspan="2" style="text-align:center;">
<input name="set-background-color-php-submit-button" class="button" type="submit" value="Set Background Color" />
</td>
</tr>
<tr><td> </td></tr>
<tr>
<td class="informative-message" colspan="2" style="text-align: center;">
The current background color is <?php echo $lBackgroundColorText; ?>
</td>
</tr>
<tr><td> </td></tr>
</table>
</form>