Escape " in login_time create page before parsing the login-time string

diff --git a/Changelog b/Changelog
index 46b17fa84b914a571011150a69be7a9dea0fbab2..7bee2efbc247fbe55b00523392a0e80dd7468dd8 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -29,6 +29,7 @@ Ver 1.63:
 * Add a config directive general_stats_use_totacct. If set we use the totacct table in the stats page instead of
   radacct
 * Small change in user_accounting.php3
+* Escape " in login_time create page before parsing the login-time string
 Ver 1.62:
 * Remove one sql query from user_admin which was not needed.
 * Instead of a query like "LIKE 'YYYY-MM-DD%'" use "AcctStopTime >= 'YYYY-MM-DD 00:00:00 AND AcctStopTime

diff --git a/htdocs/login_time_create.php3 b/htdocs/login_time_create.php3
index ad0189baa7fe29b892569e35d228c832ac832dc5..39e437ad49a6d68d3dda8d8ee432de31a1820dc0 100644 (file)
--- a/htdocs/login_time_create.php3
+++ b/htdocs/login_time_create.php3
@@ -65,8 +65,10 @@ if ($add == 1){
 $Mstart_time = $Mstop_time = $Dstart_time = $Dstop_time = '';
 
 
-if ($rulestr != '')
+if ($rulestr != ''){
+       $rulestr = str_replace('"','',$rulestr);
        $rules1 = preg_split('/[,|]/',$rulestr);
+}
 
 if ($rules1){
        foreach ($rules1 as $rule){
@@ -146,7 +148,7 @@ foreach ($rules as $rule){
 if ($update == 1 && $val != '')
        echo <<<EOM
 <script language="JavaScript1.1" type="text/javascript">
-window.opener.document.edituser.$val.value = "$rulestr";
+window.opener.document.edituser.$val.value = "\"$rulestr\"";
 window.close();
 </script>
 EOM;