Skip to content

Commit a1c7193

Browse files
committed
Fix XSS in timeline_inc.php
Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker to inject arbitrary JavaScript as part of the URL. Using SCRIPT_NAME and passing it through string_sanitize_url() instead prevents the attack. Fixes #22742 Fixes #1094
1 parent 27b5b29 commit a1c7193

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: core/timeline_inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@
4646
$t_block_css = $t_collapse_block ? 'collapsed' : '';
4747
$t_block_icon = $t_collapse_block ? 'fa-chevron-down' : 'fa-chevron-up';
4848

49-
$t_url_page = $_SERVER["PHP_SELF"];
49+
$t_url_page = string_sanitize_url( basename( $_SERVER['SCRIPT_NAME'] ) );
5050
$t_url_params = $_GET;
5151
if( isset( $t_url_params['all'] ) ) {
5252
unset( $t_url_params['all'] );

0 commit comments

Comments
 (0)