* characters. Output encoding is the answer. Validate what you can, encode it
* all.
*
* For JavaScript, always output using innerText (IE) or textContent (FF),
* Do NOT use innerHTML. Using innerHTML is weak anyway. When
* attempting DHTML, program with the proper interface which is
* the DOM. Thats what it is there for.
*/
// encode the output following OWASP standards
// this will be HTML encoding because we are outputting data into HTML
$lEncodeOutput = TRUE;
break;
}// end switch
require_once 'classes/ClientInformationHandler.php';
$lClientInformationHandler = new ClientInformationHandler();
if ($lEncodeOutput){
$lClientUserAgentString = $Encoder->encodeForHTML($lClientInformationHandler->getClientUserAgentString());
}else{
$lClientUserAgentString = $lClientInformationHandler->getClientUserAgentString();
}// end if
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, $query);
}// end try;
?>
<!-- Bubble hints code -->
<?php
try{
// end if
/* ------------------------------------------
* Constants used in application
* ------------------------------------------ */
require_once './includes/constants.php';
require_once __ROOT__ . '/includes/minimum-class-definitions.php';
/* ------------------------------------------
* initialize balloon-hint handler
* ------------------------------------------ */
require_once __ROOT__ . '/classes/BubbleHintHandler.php';
$BubbleHintHandler = new BubbleHintHandler(__ROOT__ . "/owasp-esapi-php/src/", $_SESSION["security-level"]);
/* ------------------------------------------
* initialize Client Information Handler
* ------------------------------------------ */
require_once __ROOT__ . '/classes/ClientInformationHandler.php';
$lClientInformationHandler = new ClientInformationHandler();
try {
switch ($_SESSION["security-level"]) {
case "0":
// this code is insecure
// this code is insecure
case "1":
// this code is insecure
$lProtectAgainstSQLInjection = FALSE;
break;
//case "0"
//case "0"
case "2":
case "3":
case "4":
case "5":
* all.
*
* For JavaScript, always output using innerText (IE) or textContent (FF),
* Do NOT use innerHTML. Using innerHTML is weak anyway. When
* attempting DHTML, program with the proper interface which is
* the DOM. Thats what it is there for.
*/
// encode the output following OWASP standards
// this will be HTML encoding because we are outputting data into HTML
$lEncodeOutput = TRUE;
$luseSafeJavaScript = "true";
break;
}
// end switch
require_once __ROOT__ . '/classes/ClientInformationHandler.php';
$lClientInformationHandler = new ClientInformationHandler();
if ($lEncodeOutput) {
$lWhoIsInformation = $Encoder->encodeForHTML($lClientInformationHandler->whoIsClient());
$lOperatingSystem = $Encoder->encodeForHTML($lClientInformationHandler->getOperatingSystem());
$lBrowser = $Encoder->encodeForHTML($lClientInformationHandler->getBrowser());
$lClientHostname = $Encoder->encodeForHTML($lClientInformationHandler->getClientHostname());
$lClientIP = $Encoder->encodeForHTML($lClientInformationHandler->getClientIP());
$lClientUserAgentString = $Encoder->encodeForHTML($lClientInformationHandler->getClientUserAgentString());
$lClientReferrer = $Encoder->encodeForHTML($lClientInformationHandler->getClientReferrer());
$lClientPort = $Encoder->encodeForHTML($lClientInformationHandler->getClientPort());
} else {
$lWhoIsInformation = $lClientInformationHandler->whoIsClient();
$lOperatingSystem = $lClientInformationHandler->getOperatingSystem();
$lBrowser = $lClientInformationHandler->getBrowser();
$lClientHostname = $lClientInformationHandler->getClientHostname();
$lClientIP = $lClientInformationHandler->getClientIP();
