Fixed xss in deluser (#9079)

DO NOT DELETE THIS TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`
librenms · Aug 25, 2018 · 0a34a37 · 0a34a37
1 parent 05a77b7
commit 0a34a37
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/html/pages/deluser.inc.php b/html/pages/deluser.inc.php
@@ -13,16 +13,17 @@
 
     if (Auth::get()->canManageUsers()) {
         if ($vars['action'] == 'del') {
-            $delete_username = dbFetchCell('SELECT username FROM users WHERE user_id = ?', array($vars['id']));
+            $id = (int)$vars['id'];
+            $delete_username = dbFetchCell('SELECT username FROM users WHERE user_id = ?', [$id]);
 
             if ($vars['confirm'] == 'yes') {
-                if (Auth::get()->deleteUser($vars['id']) >= 0) {
+                if (Auth::get()->deleteUser($id) >= 0) {
                     print_message('<div class="infobox">User "'.$delete_username.'" deleted!');
                 } else {
                     print_error('Error deleting user "'.$delete_username.'"!');
                 }
             } else {
-                print_error('You have requested deletion of the user "'.$delete_username.'". This action can not be reversed.<br /><a class="btn btn-danger" href="deluser/action=del/id='.$vars['id'].'/confirm=yes">Click to confirm</a>');
+                print_error('You have requested deletion of the user "'.$delete_username.'". This action can not be reversed.<br /><a class="btn btn-danger" href="deluser/action=del/id='.$id.'/confirm=yes">Click to confirm</a>');
             }
         }