diff --git a/html/inc/util.inc b/html/inc/util.inc
index e2d15449e7d..bc07a9ff8ff 100644
--- a/html/inc/util.inc
+++ b/html/inc/util.inc
@@ -1048,6 +1048,20 @@ function sanitize_email($x) {
}
}
+// pages like top_hosts.php, team_members.php etc. have a textual
+// "sort_by" argument.
+// Check this to avoid XSS vulnerability
+//
+function sanitize_sort_by($x) {
+ switch($x) {
+ case 'expavg_credit':
+ case 'total_credit':
+ return;
+ default:
+ error_page('bad sort_by');
+ }
+}
+
function flops_to_credit($f) {
return $f*(200/86400e9);
}
diff --git a/html/user/team_members.php b/html/user/team_members.php
index 402876891a1..7187fbfccf5 100644
--- a/html/user/team_members.php
+++ b/html/user/team_members.php
@@ -24,9 +24,9 @@
check_get_args(array("sort_by", "offset", "teamid"));
-if (isset($_GET["sort_by"])) {
- $sort_by = $_GET["sort_by"];
- $sort_by = strip_tags($sort_by); // remove XSS nonsense
+$sort_by = get_str("sort_by", true);
+if ($sort_by) {
+ sanitize_sort_by($sort_by);
} else {
$sort_by = "expavg_credit";
}
diff --git a/html/user/top_hosts.php b/html/user/top_hosts.php
index 4a86ab11f64..930d4b19161 100644
--- a/html/user/top_hosts.php
+++ b/html/user/top_hosts.php
@@ -42,13 +42,11 @@ function get_top_hosts($offset, $sort_by) {
return BoincHost::enum(null, "order by $sort_order limit $offset, $hosts_per_page");
}
-$sort_by = get_str("sort_by", true);
-switch ($sort_by) {
-case "total_credit":
-case "expavg_credit":
- break;
-default:
- $sort_by = "expavg_credit";
+$sort_by = get_str('sort_by', true);
+if ($sort_by) {
+ sanitize_sort_by($sort_by);
+} else {
+ $sort_by = 'expavg_credit';
}
$offset = get_int("offset", true);
diff --git a/html/user/top_teams.php b/html/user/top_teams.php
index 7c3c33e3be9..9ccc43a3f8d 100644
--- a/html/user/top_teams.php
+++ b/html/user/top_teams.php
@@ -47,13 +47,11 @@ function get_top_teams($offset, $sort_by, $type){
return BoincTeam::enum($type_clause, "order by $sort_order limit $offset, $teams_per_page");
}
-$sort_by = get_str("sort_by", true);
-switch ($sort_by) {
-case "total_credit":
-case "expavg_credit":
- break;
-default:
- $sort_by = "expavg_credit";
+$sort_by = get_str('sort_by', true);
+if ($sort_by) {
+ sanitize_sort_by($sort_by);
+} else {
+ $sort_by = 'expavg_credit';
}
$type = get_int("type", true);
diff --git a/html/user/top_users.php b/html/user/top_users.php
index e3df1f88719..cf73a5a9344 100644
--- a/html/user/top_users.php
+++ b/html/user/top_users.php
@@ -72,13 +72,11 @@ function show_user_row($user, $i) {
";
}
-$sort_by = get_str("sort_by", true);
-switch ($sort_by) {
-case "total_credit":
-case "expavg_credit":
- break;
-default:
- $sort_by = "expavg_credit";
+$sort_by = get_str('sort_by', true);
+if ($sort_by) {
+ sanitize_sort_by($sort_by);
+} else {
+ $sort_by = 'expavg_credit';
}
$offset = get_int("offset", true);