Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Disallow / as it can be used to do XSS.

When / is combined with /script you can do naughty things. Blacklisting
/ is a much safer option.
  • Loading branch information...
commit bd46972860be529a9351fbd3830123f364d83984 1 parent d4e6944
@markstory markstory authored
Showing with 1 addition and 1 deletion.
  1. +1 −1  src/View/Widget/IdGeneratorTrait.php
View
2  src/View/Widget/IdGeneratorTrait.php
@@ -48,7 +48,7 @@ protected function _clearIds() {
*/
protected function _id($name, $val) {
$name = mb_strtolower(Inflector::slug($name, '-'));
- $idSuffix = mb_strtolower(str_replace(array('@', '<', '>', ' ', '"', '\''), '-', $val));
+ $idSuffix = mb_strtolower(str_replace(array('/', '@', '<', '>', ' ', '"', '\''), '-', $val));
$count = 1;
$check = $idSuffix;
while (in_array($check, $this->_idSuffixes)) {
Please sign in to comment.
Something went wrong with that request. Please try again.