# Make $panel safe for all instances that are used in the control.php…

… script.
Phorum · Mar 10, 2009 · 3968679 · 3968679
1 parent ea45bab
commit 3968679
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/control.php b/control.php
@@ -55,6 +55,9 @@
     $panel = PHORUM_CC_SUMMARY;
 }
 
+$panel = htmlspecialchars(
+    basename($panel), ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]
+);
 
 // Set all our URLs.
 phorum_build_common_urls();
@@ -131,7 +134,7 @@
 $PHORUM["DATA"]["PROFILE"]["forum_id"] = isset($PHORUM["forum_id"]) ? $PHORUM['forum_id'] : 0;
 $PHORUM["DATA"]["PROFILE"]["PANEL"] = $panel;
 // used in nearly all or all cc-panels
-$PHORUM['DATA']['POST_VARS'].="<input type=\"hidden\" name=\"panel\" value=\"".htmlspecialchars($panel, ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"])."\" />\n";
+$PHORUM['DATA']['POST_VARS'].="<input type=\"hidden\" name=\"panel\" value=\"$panel\" />\n";
 
 // Set the back-URL and -message.
 if ($PHORUM['forum_id'] > 0 && $PHORUM['folder_flag'] == 0) {
@@ -147,7 +150,6 @@
 }
 
 // Load the code for the current panel.
-$panel = basename($panel);
 /**
  * [hook]
  *     cc_panel