Skip to content
This repository has been archived by the owner on Jan 20, 2024. It is now read-only.

Commit

Permalink
Fixed XSS
Browse files Browse the repository at this point in the history 
REQUEST_URI is not parsed by PHP - only by new browsers.
Can be used for XSS with curl or for example file get contents.
[url]?x="><h1>Hi</h1>
  • Loading branch information
Elye$a committed Mar 1, 2017
1 parent b2071a9 commit 2ac3cd4
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion public/protected/templates/viewer.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
<meta name="twitter:site" content="<?php echo TWITTER_HANDLE; ?>" />
<meta name="twitter:title" content="<?php echo $file . '.' . $type; ?>" />
<meta name="twitter:image" content="<?php echo $protocol; ?>://<?php echo $_SERVER['SERVER_NAME'] . $imgurl; ?>" />
<meta name="twitter:url" content="<?php echo $protocol; ?>://<?php echo $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; ?>" />
<meta name="twitter:url" content="<?php echo $protocol; ?>://<?php echo $_SERVER['SERVER_NAME'] . htmlspecialchars($_SERVER['REQUEST_URI']); ?>" />
<?php } ?>
</head>

Expand Down

0 comments on commit 2ac3cd4

Please sign in to comment.