Bugfix: Reflected XSS /app/tools/subnet-masks/popup.php

Fixes #3738
phpipam · Feb 9, 2023 · 842e999 · 842e999
1 parent 788caf8
commit 842e999
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/app/tools/subnet-masks/popup.php b/app/tools/subnet-masks/popup.php
@@ -37,6 +37,6 @@
 <!-- footer -->
 <div class="pFooter">
 	<div class="btn-group">
-		<button class="btn btn-sm btn-default <?php print @$_REQUEST['closeClass']; ?>"><?php print _('Close'); ?></button>
+		<button class="btn btn-sm btn-default <?php escape_input(print @$_REQUEST['closeClass']); ?>"><?php print _('Close'); ?></button>
 	</div>
 </div>
diff --git a/misc/CHANGELOG b/misc/CHANGELOG
@@ -4,6 +4,7 @@
     ----------------------------
     + XSS (reflected) in 'bw-calulator-result.php';
     + XSS (reflected) by invalid email address response;
+    + XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
     + XSS and LDAP injection in ad-search-result.php;
     + XSS and LDAP injection in ad-search-group-result.php;
     + Restrict find_full_subnets.php to CLI;