Skip to content

Commit 104090a

Browse files
committed
Resolving Issue #867
Cross-site scripting (XSS) vulnerability in auth_profile.php
1 parent 30bbf22 commit 104090a

File tree

2 files changed

+4
-3
lines changed

2 files changed

+4
-3
lines changed

Diff for: auth_profile.php

+3-3
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ function settings() {
147147

148148
form_start('auth_profile.php');
149149

150-
html_start_box( __('User Account Details'), '100%', true, '3', 'center', '');
150+
html_start_box(__('User Account Details'), '100%', true, '3', 'center', '');
151151

152152
$current_user = db_fetch_row_prepared('SELECT * FROM user_auth WHERE id = ?', array($_SESSION['sess_user_id']));
153153

@@ -418,7 +418,7 @@ function langChange() {
418418
});
419419

420420
$('input[value="<?php print __esc('Return');?>"]').unbind().click(function(event) {
421-
document.location = '<?php print $_SESSION['profile_referer'];?>';
421+
document.location = '<?php print htmlspecialchars($_SESSION['profile_referer']);?>';
422422
});
423423
});
424424

@@ -427,7 +427,7 @@ function langChange() {
427427

428428
form_hidden_box('save_component_graph_config','1','');
429429

430-
form_save_buttons(array(array('id' => 'return', 'value' => 'Return'), array('id' => 'save', 'value' => 'Save')));
430+
form_save_buttons(array(array('id' => 'return', 'value' => __esc('Return')), array('id' => 'save', 'value' => __esc('Save'))));
431431

432432
form_end();
433433
}

Diff for: docs/CHANGELOG

+1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ Cacti CHANGELOG
66
-issue#861: The search filter does not support Cyrillic
77
-issue#862: Automation - When editing Graph Rules, unable to Change Data Query
88
-issue#863: Typo error in auth_login.php for LDAP authentication
9+
-issue#867: Cross-site scripting (XSS) vulnerability in auth_profile.php
910
-issue: Link's not showing in Automation Graph and Tree rules on Sunshine theme
1011
-feature: Resize Graphs on Graph page to be responsive
1112

0 commit comments

Comments
 (0)