Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] XSS in authkey add
- as reported by Dawid Czarnecki from Zigrin Security
  • Loading branch information
mokaddem committed Jan 10, 2023
1 parent 0aa2475 commit f7238fe
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion app/Controller/Component/CRUDComponent.php
Expand Up @@ -114,7 +114,7 @@ public function add(array $params = [])
$this->Controller->Flash->success($message);
if (!empty($params['displayOnSuccess'])) {
$this->Controller->set('entity', $data);
$this->Controller->set('referer', $this->Controller->referer());
$this->Controller->set('referer', $this->Controller->referer(['action' => 'view', $model->id], true));
$this->Controller->render($params['displayOnSuccess']);
return;
}
Expand Down
4 changes: 2 additions & 2 deletions app/View/AuthKeys/authkey_display.ctp
Expand Up @@ -12,7 +12,7 @@
<pre class="quickSelect"><?= h($entity['AuthKey']['authkey_raw']) ?></pre>
</div>
<div class="modal-footer">
<a href="<?= $referer ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
<a href="<?= h($referer) ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
</div>
</div>
<?php
Expand All @@ -22,7 +22,7 @@
<p><?= __('Please make sure that you note down the auth key below, this is the only time the auth key is shown in plain text, so make sure you save it. If you lose the key, simply remove the entry and generate a new one.'); ?></p>
<p><?=__('MISP will use the first and the last 4 characters for identification purposes.')?></p>
<pre class="quickSelect"><?= h($entity['AuthKey']['authkey_raw']) ?></pre>
<a href="<?= $referer ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
<a href="<?= h($referer) ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
<?php
}
?>

0 comments on commit f7238fe

Please sign in to comment.