Skip to content
Permalink
Browse files Browse the repository at this point in the history
Plug potential XSS hole in views/template.php
REQUEST_URI needs to be sanitized if used. Since we want to refresh
to the same page there is no need to set the URI.

Signed-off-by: Mikael Falkvidd <mfalkvidd@op5.com>
  • Loading branch information
Mikael Falkvidd committed Jun 13, 2014
1 parent e4a1976 commit cb92507
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion share/pnp/application/views/template.php
Expand Up @@ -4,7 +4,7 @@
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="refresh" content="<?php echo $this->config->conf['refresh'] ?>; url=<?php echo $_SERVER['REQUEST_URI'] ?>" />
<meta http-equiv="refresh" content="<?php echo $this->config->conf['refresh'] ?>" />
<title><?php if (isset($this->title)) echo html::specialchars($this->title) ?></title>
<?php echo html::stylesheet('media/css/common.css') ?>
<?php echo html::stylesheet('media/css/imgareaselect-default.css') ?>
Expand Down

0 comments on commit cb92507

Please sign in to comment.