Skip to content
Permalink
Browse files Browse the repository at this point in the history
xss: SLA Name
This mitigates an issue discovered by Gais Cyber Security where the SLA Name
can be exploited via XSS to execute code. This sanitizes the content for
`create()` and `update()` with `Format::htmlchars()` so we are safe from any
XSS attempts.
  • Loading branch information
JediKev committed Apr 28, 2020
1 parent de41aeb commit fc4c860
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion include/class.sla.php
Expand Up @@ -106,7 +106,7 @@ static function getVarScope() {
}

function update($vars, &$errors) {

$vars = Format::htmlchars($vars);
if (!$vars['grace_period'])
$errors['grace_period'] = __('Grace period required');
elseif (!is_numeric($vars['grace_period']))
Expand Down Expand Up @@ -208,6 +208,7 @@ static function getIdByName($name) {
}

static function create($vars=false, &$errors=array()) {
$vars = Format::htmlchars($vars);
$sla = new static($vars);
$sla->created = SqlFunction::NOW();
return $sla;
Expand Down

0 comments on commit fc4c860

Please sign in to comment.