Bugfix: Fix stored XSS attack - ref CVE-2021-38600

See https://github.com/hmaverickadams/CVE-2021-38600 For some reason the author did not think ti wise to let me know privately first - instead publicly announcing it via a GitHub repo..... sigh. In addition, is this *really* a vulnerability? Since Pepperminty Wiki requires the site secret to set it up, I can't see that this has a real impact. Still, I'll fix it anyway.....
sbrl · Sep 2, 2021 · 0a77065 · 0a77065
1 parent fab1b52
commit 0a77065
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/Changelog.md b/Changelog.md
@@ -21,6 +21,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
 
 ## Fixed
  - [security] Fixed some potential XSS attacks in the page editor
+ - [security] Fix stored XSS attack in the wiki name via the first  run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once
  - Fixed a weird bug in the `stats-update` action causing warnings
  - search: Properly apply weightings of matches in page titles and tags
  - Improved error handling on first run where the PHP Zip extension is not installed

diff --git a/modules/feature-firstrun.php b/modules/feature-firstrun.php
@@ -204,7 +204,7 @@
 
 			// Apply the settings
 			$settings->firstrun_complete = true;
-			$settings->sitename = $_POST["wiki-name"];
+			$settings->sitename = htmlentities($_POST["wiki-name"]);
 			$settings->data_storage_dir = $_POST["data-dir"];
 
 			if(!save_settings()) {