Skip to content
Permalink
Browse files

Autocomplete: Escape HTML tags in callback name to avoid XSS in demo

Fixes #15048
  • Loading branch information
scottgonzalez committed Sep 22, 2016
1 parent c571d2f commit 69e66ea6556584c39621c184f8f790a1011408ce
Showing with 4 additions and 1 deletion.
  1. +4 −1 demos/autocomplete/search.php
@@ -586,7 +586,10 @@
$output = json_encode($result);

if ($_GET["callback"]) {
$output = $_GET["callback"] . "($output);";
// Escape special characters to avoid XSS attacks via direct loads of this
// page with a callback that contains HTML. This is a lot easier than validating
// the callback name.
$output = htmlspecialchars($_GET["callback"]) . "($output);";
}

echo $output;

0 comments on commit 69e66ea

Please sign in to comment.
You can’t perform that action at this time.