Skip to content

Commit 2326aa5

Browse files
committed
Fix reflected XXS issue
1 parent 4b4939d commit 2326aa5

File tree

1 file changed

+14
-8
lines changed

1 file changed

+14
-8
lines changed

Diff for: web/templates/pages/debug_panel.php

+14-8
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
<?php
2+
if( !defined("HESTIA_DIR_BIN") ){
3+
die("Direct access disabled");
4+
}
5+
?>
6+
17
<div x-data="{ open: false }" class="debug-panel">
28
<button
39
type="button"
@@ -10,26 +16,26 @@ class="debug-panel-toggle"
1016
<?php
1117
echo "<h3 class=\"u-mb10\">Server Variables</h3>";
1218
foreach ($_SERVER as $key => $val) {
13-
echo "<b>" . $key . "= </b> " . $val . " ";
19+
echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
1420
}
15-
?>
21+
?>
1622
<?php
1723
echo "<h3 class=\"u-mb10 u-mt10\">Session Variables</h3>";
1824
foreach ($_SESSION as $key => $val) {
19-
echo "<b>" . $key . "= </b> " . $val . " ";
25+
echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
2026
}
21-
?>
27+
?>
2228
<?php
2329
echo "<h3 class=\"u-mb10 u-mt10\">POST Variables</h3>";
2430
foreach ($_POST as $key => $val) {
25-
echo "<b>" . $key . "= </b> " . $val . " ";
31+
echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
2632
}
27-
?>
33+
?>
2834
<?php
2935
echo "<h3 class=\"u-mb10 u-mt10\">GET Variables</h3>";
3036
foreach ($_GET as $key => $val) {
31-
echo "<b>" . $key . "= </b> " . $val . " ";
37+
echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
3238
}
33-
?>
39+
?>
3440
</div>
3541
</div>

0 commit comments

Comments
 (0)