Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS on home page (OBB-602216)
Do not store totaly invalid countries in cookie in the first place
  • Loading branch information
sdennler committed Sep 4, 2022
1 parent a9f79c7 commit c720f27
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion htdocs/lib2/common.inc.php
Expand Up @@ -270,7 +270,7 @@ function set_usercountry(): void
{
global $cookie;

if (isset($_REQUEST['usercountry'])) {
if (preg_match('/^[a-z]{2}$/i', $_REQUEST['usercountry'] ?? '')) {
$cookie->set('usercountry', $_REQUEST['usercountry']);
}
}
Expand Down
2 changes: 1 addition & 1 deletion htdocs/templates2/ocstyle/start.tpl
Expand Up @@ -127,7 +127,7 @@
<p class="content-title-noshade-size3">
<img src="resource2/{$opt.template.style}/images/misc/22x22-traditional.png" style="margin-right: 10px;"
width="22" height="22" alt=""/>
<a href="newcaches.php?country={$usercountryCode}"
<a href="newcaches.php?country={$usercountryCode|escape}"
style="color:rgb(88,144,168); text-decoration: none;">{t 1=$usercountry|escape}Newest caches in %1{/t}</a>
&nbsp; <span class="content-title-link">[<a href="newcaches.php">{t}more{/t}...</a>]</span>
</p>
Expand Down

0 comments on commit c720f27

Please sign in to comment.