Permalink
Browse files

xss: Prevent Agent Directory XSS

This addresses a vulnerability where an Agent can perform XSS via the
Agent Directory’s REQUEST query string. This sanitizes the request params
so the code will be escaped and not executed in the browser.
  • Loading branch information...
JediKev committed Feb 12, 2018
1 parent c4669d7 commit 36651b9139498bedde574be6dd2a6eaada50b8b0
Showing with 4 additions and 0 deletions.
  1. +4 −0 include/staff/directory.inc.php
@@ -5,6 +5,10 @@
$agents = Staff::objects()
->select_related('dept');
// Sanitize 'order' param To Escape XSS
if ($_REQUEST['order'])
$_REQUEST['order'] = Format::sanitize($_REQUEST['order']);
if($_REQUEST['q']) {
$searchTerm=$_REQUEST['q'];
if($searchTerm){

0 comments on commit 36651b9

Please sign in to comment.