Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
xss: Prevent Agent Directory XSS
This addresses a vulnerability where an Agent can perform XSS via the
Agent Directory’s REQUEST query string. This sanitizes the request params
so the code will be escaped and not executed in the browser.
  • Loading branch information
JediKev committed Mar 6, 2018
1 parent c4669d7 commit 36651b9
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions include/staff/directory.inc.php
Expand Up @@ -5,6 +5,10 @@
$agents = Staff::objects()
->select_related('dept');

// Sanitize 'order' param To Escape XSS
if ($_REQUEST['order'])
$_REQUEST['order'] = Format::sanitize($_REQUEST['order']);

if($_REQUEST['q']) {
$searchTerm=$_REQUEST['q'];
if($searchTerm){
Expand Down

0 comments on commit 36651b9

Please sign in to comment.