Escape " in login_time create page before parsing the login-time string

diff --git a/dialup_admin/Changelog b/dialup_admin/Changelog
index 46b17fa..7bee2ef 100644 (file)
--- a/dialup_admin/Changelog
+++ b/dialup_admin/Changelog
@@ -29,6 +29,7 @@ Ver 1.63:
 * Add a config directive general_stats_use_totacct. If set we use the totacct table in the stats page instead of
   radacct
 * Small change in user_accounting.php3
+* Escape " in login_time create page before parsing the login-time string
 Ver 1.62:
 * Remove one sql query from user_admin which was not needed.
 * Instead of a query like "LIKE 'YYYY-MM-DD%'" use "AcctStopTime >= 'YYYY-MM-DD 00:00:00 AND AcctStopTime

diff --git a/dialup_admin/htdocs/login_time_create.php3 b/dialup_admin/htdocs/login_time_create.php3
index ad0189b..39e437a 100644 (file)
--- a/dialup_admin/htdocs/login_time_create.php3
+++ b/dialup_admin/htdocs/login_time_create.php3
@@ -65,8 +65,10 @@ if ($add == 1){
 $Mstart_time = $Mstop_time = $Dstart_time = $Dstop_time = '';
 
 
-if ($rulestr != '')
+if ($rulestr != ''){
+       $rulestr = str_replace('"','',$rulestr);
        $rules1 = preg_split('/[,|]/',$rulestr);
+}
 
 if ($rules1){
        foreach ($rules1 as $rule){
@@ -146,7 +148,7 @@ foreach ($rules as $rule){
 if ($update == 1 && $val != '')
        echo <<<EOM
 <script language="JavaScript1.1" type="text/javascript">
-window.opener.document.edituser.$val.value = "$rulestr";
+window.opener.document.edituser.$val.value = "\"$rulestr\"";
 window.close();
 </script>
 EOM;