Skip to content

Commit 8e0eba0

Browse files
Merge pull request #2356 from Orange-OpenSource/fix/orange-opensource/security/fix-reflected-xss
fix(security) fix Reflected XSS vulnerability Reviewed-by: shaheem.azmal@siemens.com Tested-by: shaheem.azmal@siemens.com
2 parents ace6914 + d10d972 commit 8e0eba0

File tree

2 files changed

+3
-3
lines changed

2 files changed

+3
-3
lines changed

Diff for: src/lib/php/common-db.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,7 @@ function DBCheckResult($result, $sql, $filenm, $lineno)
195195
} else {
196196
echo "FATAL: DB connection lost.";
197197
}
198-
echo "<br> $sql";
198+
echo "<br> ".htmlspecialchars($sql);
199199
debugbacktrace();
200200
echo "<hr>";
201201
exit(1);

Diff for: src/www/ui/admin-config.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -182,11 +182,11 @@ function Output()
182182
*/
183183
if (! strcmp($validation_function, 'check_boolean')) {
184184
$warning_msg = _(
185-
"Error: You set $ui_label to $VarValue. Valid values are 'true' and 'false'.");
185+
"Error: You set $ui_label to ".htmlspecialchars($VarValue).". Valid values are 'true' and 'false'.");
186186
echo "<script>alert('$warning_msg');</script>";
187187
} else if (strpos($validation_function, "url")) {
188188
$warning_msg = _(
189-
"Error: $ui_label $VarValue, is not a reachable URL.");
189+
"Error: $ui_label ".htmlspecialchars($VarValue).", is not a reachable URL.");
190190
echo "<script>alert('$warning_msg');</script>";
191191
}
192192

0 commit comments

Comments
 (0)