fix: [security] Fix to a reflected XSS in the default layout template

- as reported by Tuscany Internet eXchange | Misp Team | TIX CyberSecurity
MISP · Mar 28, 2019 · 586cca3 · 586cca3
1 parent 823ea74
commit 586cca3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/View/Layouts/default.ctp b/app/View/Layouts/default.ctp
@@ -101,9 +101,9 @@
         var baseurl = '<?php echo $baseurl; ?>';
         var here = '<?php
                 if (substr($this->params['action'], 0, 6) === 'admin_') {
-                    echo $baseurl . '/admin/' . $this->params['controller'] . '/' . substr($this->params['action'], 6);
+                    echo $baseurl . '/admin/' . h($this->params['controller']) . '/' . h(substr($this->params['action'], 6));
                 } else {
-                    echo $baseurl . '/' . $this->params['controller'] . '/' . $this->params['action'];
+                    echo $baseurl . '/' . h($this->params['controller']) . '/' . h($this->params['action']);
                 }
             ?>';
         $(document).ready(function(){