Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixes #180, possible XSS in entry list
  • Loading branch information
azett committed Dec 25, 2022
1 parent 91857ec commit 229752b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
4 changes: 3 additions & 1 deletion admin/panels/entry/admin.entry.list.php
Expand Up @@ -39,15 +39,17 @@ function main() {
// parameters for the list
// start offset and count (now defaults to 8...)

$this->smarty->assign('formtarget', strip_tags($_SERVER ['PHP_SELF']));
$this->smarty->assign('categories_all', entry_categories_get('defs'));
$this->smarty->assign('saved_flags', entry_flags_get());

$defcount = 8; // <-- no magic numbers! todo: add config option?
global $fpdb;

if (!empty($_REQUEST ['entry']))
if (!empty($_REQUEST ['entry'])) {
utils_redirect('admin.php?p=entry&action=write&entry=' . $_REQUEST ['entry']);
}

isset($_REQUEST ['m']) ? $params ['m'] = $_REQUEST ['m'] : null;
isset($_REQUEST ['y']) ? $params ['y'] = $_REQUEST ['y'] : null;
Expand Down
2 changes: 1 addition & 1 deletion admin/panels/entry/admin.entry.list.tpl
Expand Up @@ -25,7 +25,7 @@

<p>{$panelstrings.descr}</p>

<form method="get" action="{$smarty.server.PHP_SELF}?p=entry">
<form method="get" action="{$formtarget}?p=entry">
<p> <input type="hidden" name="p" value="entry" /> </p>
<fieldset><legend>{$panelstrings.filter}</legend>
<select name="category" class="alignleft">
Expand Down

0 comments on commit 229752b

Please sign in to comment.