Skip to content
Browse files

prevent code injection (XSS)

fix for reflected XSS vulnerability spotted by Mithat Gögebakan,
  • Loading branch information...
juek committed May 23, 2018
1 parent e851c39 commit fd637e2919e7f77c498a91a8e9d353f8e12afc9a
Showing with 4 additions and 1 deletion.
  1. +4 −1 include/admin/Menu/Ajax.php
@@ -155,10 +155,13 @@ public function AddHidden(){
echo '<tr><th colspan="2">'.$langmessage['options'].'</th></tr>';
$new_title = htmlspecialchars($_REQUEST['title']);
// prevent code injections
$new_title = str_replace(array('=', '/', '{', '}', ':', ',', ';'), '', $new_title);
echo '<tr><td>';
echo $langmessage['label'];
echo '</td><td>';
echo '<input type="text" name="title" maxlength="100" size="50" value="'.htmlspecialchars($_REQUEST['title']).'" class="gpinput full_width" required/>';
echo '<input type="text" name="title" maxlength="100" size="50" value="'. $new_title .'" class="gpinput full_width" required/>';
echo '</td></tr>';

1 comment on commit fd637e2


This comment has been minimized.

Copy link

commented on fd637e2 May 8, 2019

Can you make a new release, which includes this fix thank you?

Please sign in to comment.
You can’t perform that action at this time.