Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS in timeline_inc.php
Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker
to inject arbitrary JavaScript as part of the URL.

Using SCRIPT_NAME and passing it through string_sanitize_url() instead
prevents the attack.

Fixes #22742
Fixes #1094
  • Loading branch information
dregad committed Apr 18, 2017
1 parent 27b5b29 commit a1c7193
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion core/timeline_inc.php
Expand Up @@ -46,7 +46,7 @@
$t_block_css = $t_collapse_block ? 'collapsed' : '';
$t_block_icon = $t_collapse_block ? 'fa-chevron-down' : 'fa-chevron-up';

$t_url_page = $_SERVER["PHP_SELF"];
$t_url_page = string_sanitize_url( basename( $_SERVER['SCRIPT_NAME'] ) );
$t_url_params = $_GET;
if( isset( $t_url_params['all'] ) ) {
unset( $t_url_params['all'] );
Expand Down

0 comments on commit a1c7193

Please sign in to comment.