* characters. Output encoding is the answer. Validate what you can, encode it
	  			 * all.
	  			 * 
	  			 * For JavaScript, always output using innerText (IE) or textContent (FF),
	  			 * Do NOT use innerHTML. Using innerHTML is weak anyway. When 
	  			 * attempting DHTML, program with the proper interface which is
	  			 * the DOM. Thats what it is there for.
	  			 */
	   			// encode the output following OWASP standards
	   			// this will be HTML encoding because we are outputting data into HTML
				$lEncodeOutput = TRUE;
	   		break;
	   	}// end switch		
	
		require_once 'classes/ClientInformationHandler.php';
		$lClientInformationHandler = new ClientInformationHandler();
		
		if ($lEncodeOutput){
			$lClientUserAgentString = $Encoder->encodeForHTML($lClientInformationHandler->getClientUserAgentString());
		}else{
			$lClientUserAgentString = $lClientInformationHandler->getClientUserAgentString();
		}// end if
	
    } catch (Exception $e) {
		echo $CustomErrorHandler->FormatError($e, $query);
    }// end try;
?>

<!-- Bubble hints code -->
<?php 
	try{
Beispiel #2
0
// end if
/* ------------------------------------------
 * Constants used in application
 * ------------------------------------------ */
require_once './includes/constants.php';
require_once __ROOT__ . '/includes/minimum-class-definitions.php';
/* ------------------------------------------
 * initialize balloon-hint handler
 * ------------------------------------------ */
require_once __ROOT__ . '/classes/BubbleHintHandler.php';
$BubbleHintHandler = new BubbleHintHandler(__ROOT__ . "/owasp-esapi-php/src/", $_SESSION["security-level"]);
/* ------------------------------------------
 * initialize Client Information Handler
 * ------------------------------------------ */
require_once __ROOT__ . '/classes/ClientInformationHandler.php';
$lClientInformationHandler = new ClientInformationHandler();
try {
    switch ($_SESSION["security-level"]) {
        case "0":
            // this code is insecure
        // this code is insecure
        case "1":
            // this code is insecure
            $lProtectAgainstSQLInjection = FALSE;
            break;
            //case "0"
        //case "0"
        case "2":
        case "3":
        case "4":
        case "5":
Beispiel #3
0
          * all.
          * 
          * For JavaScript, always output using innerText (IE) or textContent (FF),
          * Do NOT use innerHTML. Using innerHTML is weak anyway. When 
          * attempting DHTML, program with the proper interface which is
          * the DOM. Thats what it is there for.
          */
         // encode the output following OWASP standards
         // this will be HTML encoding because we are outputting data into HTML
         $lEncodeOutput = TRUE;
         $luseSafeJavaScript = "true";
         break;
 }
 // end switch
 require_once __ROOT__ . '/classes/ClientInformationHandler.php';
 $lClientInformationHandler = new ClientInformationHandler();
 if ($lEncodeOutput) {
     $lWhoIsInformation = $Encoder->encodeForHTML($lClientInformationHandler->whoIsClient());
     $lOperatingSystem = $Encoder->encodeForHTML($lClientInformationHandler->getOperatingSystem());
     $lBrowser = $Encoder->encodeForHTML($lClientInformationHandler->getBrowser());
     $lClientHostname = $Encoder->encodeForHTML($lClientInformationHandler->getClientHostname());
     $lClientIP = $Encoder->encodeForHTML($lClientInformationHandler->getClientIP());
     $lClientUserAgentString = $Encoder->encodeForHTML($lClientInformationHandler->getClientUserAgentString());
     $lClientReferrer = $Encoder->encodeForHTML($lClientInformationHandler->getClientReferrer());
     $lClientPort = $Encoder->encodeForHTML($lClientInformationHandler->getClientPort());
 } else {
     $lWhoIsInformation = $lClientInformationHandler->whoIsClient();
     $lOperatingSystem = $lClientInformationHandler->getOperatingSystem();
     $lBrowser = $lClientInformationHandler->getBrowser();
     $lClientHostname = $lClientInformationHandler->getClientHostname();
     $lClientIP = $lClientInformationHandler->getClientIP();