Skip to content
Permalink
Browse files Browse the repository at this point in the history
prevent code injection (XSS)
fix for reflected XSS vulnerability spotted by Mithat Gögebakan,
www.netsparker.com
  • Loading branch information
juek committed May 23, 2018
1 parent e851c39 commit fd637e2
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion include/admin/Menu/Ajax.php
Expand Up @@ -155,10 +155,13 @@ public function AddHidden(){
echo '<tr><th colspan="2">'.$langmessage['options'].'</th></tr>';

//title
$new_title = htmlspecialchars($_REQUEST['title']);
// prevent code injections
$new_title = str_replace(array('=', '/', '{', '}', ':', ',', ';'), '', $new_title);
echo '<tr><td>';
echo $langmessage['label'];
echo '</td><td>';
echo '<input type="text" name="title" maxlength="100" size="50" value="'.htmlspecialchars($_REQUEST['title']).'" class="gpinput full_width" required/>';
echo '<input type="text" name="title" maxlength="100" size="50" value="'. $new_title .'" class="gpinput full_width" required/>';
echo '</td></tr>';

//copy
Expand Down

1 comment on commit fd637e2

@fgeek
Copy link

@fgeek fgeek commented on fd637e2 May 8, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make a new release, which includes this fix thank you?

Please sign in to comment.