Skip to content
Permalink
Browse files

Fix XSS in timeline_inc.php

Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker
to inject arbitrary JavaScript as part of the URL.

Using SCRIPT_NAME and passing it through string_sanitize_url() instead
prevents the attack.

Fixes #22742
Fixes #1094
  • Loading branch information...
dregad committed Apr 18, 2017
1 parent 27b5b29 commit a1c719313d61b07bbe8700005807b8195fdc32f1
Showing with 1 addition and 1 deletion.
  1. +1 −1 core/timeline_inc.php
@@ -46,7 +46,7 @@
$t_block_css = $t_collapse_block ? 'collapsed' : '';
$t_block_icon = $t_collapse_block ? 'fa-chevron-down' : 'fa-chevron-up';
$t_url_page = $_SERVER["PHP_SELF"];
$t_url_page = string_sanitize_url( basename( $_SERVER['SCRIPT_NAME'] ) );
$t_url_params = $_GET;
if( isset( $t_url_params['all'] ) ) {
unset( $t_url_params['all'] );

0 comments on commit a1c7193

Please sign in to comment.
You can’t perform that action at this time.