Skip to content

Commit 698be4a

Browse files
committed
Fix XSS when changing template
1 parent b151674 commit 698be4a

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

Diff for: templates.php

+7-2
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,17 @@
1010
$active_nav = 'templates';
1111
include_once ADMIN_VIEWS_DIR . DS . 'header.php';
1212

13+
$templates = look_for_templates();
14+
$valid_templates = array_map(function($t) { return $t['location']; }, $templates);
15+
1316
/**
1417
* Changing the client's template
1518
*/
1619
if (isset($_GET['activate_template'])) {
20+
if (!in_array($_GET['activate_template'], $valid_templates)) {
21+
exit_with_error_code(403);
22+
}
23+
1724
$save = save_option('selected_clients_template', $_GET['activate_template']);
1825

1926
global $flash;
@@ -28,8 +35,6 @@
2835

2936
ps_redirect(BASE_URI . 'templates.php');
3037
}
31-
32-
$templates = look_for_templates();
3338
?>
3439
<div class="row">
3540
<div class="col-12 col-sm-12 col-lg-12">

0 commit comments

Comments
 (0)