From cedcfb20186ceeb96248116a923d7d76c63a2d6f Mon Sep 17 00:00:00 2001
From: Sweepr <sweepr@outlook.com>
Date: Sat, 13 Nov 2021 10:29:17 +0100
Subject: [PATCH] Update SpotPage_login.php

For for issue: https://github.com/spotweb/spotweb/issues/718
---
 lib/page/SpotPage_login.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/page/SpotPage_login.php b/lib/page/SpotPage_login.php
index a413d4bfe..acf639c97 100644
--- a/lib/page/SpotPage_login.php
+++ b/lib/page/SpotPage_login.php
@@ -37,7 +37,12 @@ public function render()
 
         // bring the form action into the local scope
         $formAction = $this->_loginForm['action'];
-
+        
+        // Check redirect for chevrons, deny if found.
+        if (preg_match('/[<>]/i', $this->_params['data']['performredirect'])) {			
+		$result->addError(_('Script is not allowed'));
+		}
+        
         // Are we already submitting the form login?
         if (!empty($formAction)) {
             // make sure we can simply assume all fields are there