Skip to content
Permalink
Browse files Browse the repository at this point in the history
xss: Queue Name
This mitigates an issue discovered by Matthew Aberegg where the Name field
for a Queue can be exploited via XSS to execute code. This sanitizes the
`$_POST['queue-name']` variable in a few places via `Format::htmlchars()` so
we are safe from any XSS attempts on creations and updates.
  • Loading branch information
JediKev committed Apr 28, 2020
1 parent d54cca0 commit 6c724ea
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions include/class.queue.php
Expand Up @@ -1204,14 +1204,14 @@ function update($vars, &$errors=array()) {
if (!$vars['queue-name'])
$errors['queue-name'] = __('A title is required');
elseif (($q=CustomQueue::lookup(array(
'title' => $vars['queue-name'],
'title' => Format::htmlchars($vars['queue-name']),
'parent_id' => $vars['parent_id'] ?: 0,
'staff_id' => $this->staff_id)))
&& $q->getId() != $this->id
)
$errors['queue-name'] = __('Saved queue with same name exists');

$this->title = $vars['queue-name'];
$this->title = Format::htmlchars($vars['queue-name']);
$this->parent_id = @$vars['parent_id'] ?: 0;
if ($this->parent_id && !$this->parent)
$errors['parent_id'] = __('Select a valid queue');
Expand Down
2 changes: 1 addition & 1 deletion scp/queues.php
Expand Up @@ -43,7 +43,7 @@
case 'create':
$queue = CustomQueue::create(array(
'staff_id' => 0,
'title' => $_POST['queue-name'],
'title' => Format::htmlchars($_POST['queue-name']),
'root' => 'T'
));

Expand Down

0 comments on commit 6c724ea

Please sign in to comment.