# HG changeset patch
# User Matti Hamalainen <ccr@tnsp.org>
# Date 1451523767 -7200
# Node ID 98c798a843edf073537b6101beea0d5c920a61bd
# Parent  fd471bd4e0136142af070784cd13ab987a3beeff
Better input validation.

diff -r fd471bd4e013 -r 98c798a843ed materials/info.php
--- a/materials/info.php	Thu Dec 31 03:02:17 2015 +0200
+++ b/materials/info.php	Thu Dec 31 03:02:47 2015 +0200
@@ -80,7 +80,8 @@
 
 if (isset($_GET["m"]))
 {
-  $setShowMat = strtolower($_GET["m"]);
+  $setShowMat = trim(preg_replace("/[^a-z ]/", " ", strtolower($_GET["m"])));
+  $setShowMat = preg_replace("/ +/", " ", $setShowMat);
   $setShowMatName = strtoupper(substr($setShowMat,0,1)).substr($setShowMat, 1);
 }
 
@@ -186,14 +187,18 @@
   if (!isset($matDataTable[$setShowMat]))
   {
     echo
-      "<h2>Error! No such material '".$setShowMatName."'</h2>\n".
+      "<h2>Error! No such material '".chentities($setShowMatName)."'</h2>\n".
       "<p>Material is not known. Check spelling.</p>\n";
   }
   else
   {
-    echo "<h2>".$setShowMatName."</h2>\n".
-    "<table width=\"95%\">\n".
-    "<tr>";
+    //
+    // Print material information table
+    //
+    echo
+      "\n".
+      "<h2>".chentities($setShowMatName)."</h2>\n".
+      "<table class=\"materialInfo\" width=\"95%\">\n";
 
     $n = 0;
     foreach ($matDataTable[$setShowMat] as $key => $val)