From 9a94fe42edb4fbbae1630a6d0ef4d33d0ffe2e94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20Schulthei=C3=9F?= <manukru@gmail.com>
Date: Fri, 10 May 2013 20:36:21 +0300
Subject: [PATCH 1/2] Do not allow Cross Site Scripting attacks

If you add a entry like
[field] = "<script>alert('XSS Attack');</script>" to a document, the Javascript is executed. This change should fix the issue.
---
 mongodbadmin.php | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/mongodbadmin.php b/mongodbadmin.php
index 1c333d9..3fbe8ba 100644
--- a/mongodbadmin.php
+++ b/mongodbadmin.php
@@ -72,7 +72,9 @@ function renderDocumentPreview($mongo, $document)
 {
   $document = prepareMongoDBDocumentForEdit($document);
   $preview = linkDocumentReferences($mongo, $document);
+  $preview = secureOutput($preview);
   $preview = print_r($preview, true);
+  
   return $preview;
 }
 
@@ -161,6 +163,36 @@ function prepareValueForMongoDB($value)
   return $prepared;
 }
 
+
+/**
+ * Do not execute Javascript like <script>alert("XSS Attack");</script>
+ *
+ * @param string $document
+ * @return string $preview
+ */
+
+function secureOutput($value)
+{
+      $prepared = array();
+      foreach ($value as $key => $value) {
+
+        if ($key === '_id') {
+          $value = (string) $value;
+        }
+        if ($key === '$id') {
+          $value = (string) $value;
+        }
+        if (is_array($value)) {
+          $prepared[$key] = secureOutput($value);
+        } else {
+          $prepared[$key] =  htmlentities ($value, ENT_QUOTES, "UTF-8");;
+        }
+      }
+      return $prepared;
+}
+
+
+
 /**
  * Prepare a MongoDB document for the textarea so it can be edited.
  *

From f7404c003b09f85f6a7e84986cbfc27045c27cef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20Schulthei=C3=9F?= <manukru@gmail.com>
Date: Fri, 24 May 2013 22:08:55 +0300
Subject: [PATCH 2/2] Update mongodbadmin.php

changed description
---
 mongodbadmin.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mongodbadmin.php b/mongodbadmin.php
index 3fbe8ba..63c484c 100644
--- a/mongodbadmin.php
+++ b/mongodbadmin.php
@@ -167,8 +167,8 @@ function prepareValueForMongoDB($value)
 /**
  * Do not execute Javascript like <script>alert("XSS Attack");</script>
  *
- * @param string $document
- * @return string $preview
+ * @param string $value
+ * @return string $prepared
  */
 
 function secureOutput($value)