From 4935b20b93e20e3032ee63737c0b9f324e2b22c0 Mon Sep 17 00:00:00 2001
From: kkalev <kkalev>
Date: Thu, 22 May 2003 09:28:31 +0000
Subject: [PATCH] Escape " in login_time create page before parsing the
 login-time string

---
 Changelog                     | 1 +
 htdocs/login_time_create.php3 | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 46b17fa..7bee2ef 100644
--- a/Changelog
+++ b/Changelog
@@ -29,6 +29,7 @@ Ver 1.63:
 * Add a config directive general_stats_use_totacct. If set we use the totacct table in the stats page instead of
   radacct
 * Small change in user_accounting.php3
+* Escape " in login_time create page before parsing the login-time string
 Ver 1.62:
 * Remove one sql query from user_admin which was not needed.
 * Instead of a query like "LIKE 'YYYY-MM-DD%'" use "AcctStopTime >= 'YYYY-MM-DD 00:00:00 AND AcctStopTime
diff --git a/htdocs/login_time_create.php3 b/htdocs/login_time_create.php3
index ad0189b..39e437a 100644
--- a/htdocs/login_time_create.php3
+++ b/htdocs/login_time_create.php3
@@ -65,8 +65,10 @@ if ($add == 1){
 $Mstart_time = $Mstop_time = $Dstart_time = $Dstop_time = '';
 
 
-if ($rulestr != '')
+if ($rulestr != ''){
+	$rulestr = str_replace('"','',$rulestr);
 	$rules1 = preg_split('/[,|]/',$rulestr);
+}
 
 if ($rules1){
 	foreach ($rules1 as $rule){
@@ -146,7 +148,7 @@ foreach ($rules as $rule){
 if ($update == 1 && $val != '')
 	echo <<<EOM
 <script language="JavaScript1.1" type="text/javascript">
-window.opener.document.edituser.$val.value = "$rulestr";
+window.opener.document.edituser.$val.value = "\"$rulestr\"";
 window.close();
 </script>
 EOM;
-- 
2.39.5