Skip to content

Commit

Permalink
Fix XSS Vul for $invocation_user
Browse files Browse the repository at this point in the history 
Since the invocation id and invocation user cannot be anything but an alphanumeric string , we will use that check as our fix . This will avoid the usage of any JS code as values since it would need special chars like "<>"
  • Loading branch information
@hussamnasir
hussamnasir authored Aug 27, 2020
1 parent c2356cc commit 39a96fb
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions portal/www/portal/sliceresource.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ function no_invocation_id_error() {
array_key_exists("invocation_user", $_REQUEST)) {
$invocation_user = $_REQUEST['invocation_user'];
$invocation_id = $_REQUEST['invocation_id'];
if(!ctype_alnum($invocation_id) || !ctype_alnum($invocation_user))
{
relative_redirect('dashboard.php#slices');
}
}
else {
no_invocation_id_error();
Expand Down

0 comments on commit 39a96fb

Please sign in to comment.