Merge pull request #3919 from aydreeihn/issue/advanced_search_xss

Format the advanced search title so that it will not allow javascript
osTicket · Sep 14, 2017 · ebe1953 · ebe1953
2 parents c26b11c + 8132c13
commit ebe1953
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/include/ajax.search.php b/include/ajax.search.php
@@ -136,7 +136,7 @@ function _saveSearch($search) {
 
         $search->config = JsonDataEncoder::encode($form->getState());
         if (isset($_POST['name']))
-            $search->title = $_POST['name'];
+            $search->title = Format::htmlchars($_POST['name']);
         elseif ($search->__new__)
             Http::response(400, 'A name is required');
         if (!$search->save()) {