Fix XSS issue

kitodo · Jul 27, 2020 · 6a67256 · 6a67256
1 parent 769f341
commit 6a67256
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/Classes/Plugin/ListView.php b/Classes/Plugin/ListView.php
@@ -268,7 +268,7 @@ protected function getSortingForm()
         $sorting = '<form action="' . $this->cObj->typoLink_URL($linkConf) . '" method="get"><div><input type="hidden" name="id" value="' . $GLOBALS['TSFE']->id . '" />';
         foreach ($this->piVars as $piVar => $value) {
             if ($piVar != 'order' && $piVar != 'DATA' && !empty($value)) {
-                $sorting .= '<input type="hidden" name="' . $this->prefixId . '[' . $piVar . ']" value="' . htmlspecialchars($value) . '" />';
+                $sorting .= '<input type="hidden" name="' . $this->prefixId . '[' . preg_replace('/[^A-Za-z0-9_-]/', '', $piVar) . ']" value="' . htmlspecialchars($value) . '" />';
             }
         }
         // Select sort field.

diff --git a/Classes/Plugin/Navigation.php b/Classes/Plugin/Navigation.php
@@ -73,7 +73,7 @@ protected function getPageSelector()
         // Add plugin variables.
         foreach ($this->piVars as $piVar => $value) {
             if ($piVar != 'page' && $piVar != 'DATA' && !empty($value)) {
-                $output .= '<input type="hidden" name="' . $this->prefixId . '[' . $piVar . ']" value="' . htmlspecialchars($value) . '" />';
+                $output .= '<input type="hidden" name="' . $this->prefixId . '[' . preg_replace('/[^A-Za-z0-9_-]/', '', $piVar) . ']" value="' . htmlspecialchars($value) . '" />';
             }
         }
         // Add page selector.