Sanitize the POST for the system/preferences/

symphonycms · Nov 5, 2015 · 651e150 · 651e150
1 parent 16dc3b8
commit 651e150
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/symphony/content/content.systempreferences.php b/symphony/content/content.systempreferences.php
@@ -196,7 +196,7 @@ public function action()
         Symphony::ExtensionManager()->notifyMembers('CustomActions', '/system/preferences/');
 
         if (isset($_POST['action']['save'])) {
-            $settings = $_POST['settings'];
+            $settings = filter_var_array($_POST['settings'], FILTER_SANITIZE_STRING);
 
             /**
              * Just prior to saving the preferences and writing them to the `CONFIG`
@@ -210,7 +210,10 @@ public function action()
              * @param array $errors
              *  An array of errors passed by reference
              */
-            Symphony::ExtensionManager()->notifyMembers('Save', '/system/preferences/', array('settings' => &$settings, 'errors' => &$this->_errors));
+            Symphony::ExtensionManager()->notifyMembers('Save', '/system/preferences/', array(
+                'settings' => &$settings,
+                'errors' => &$this->_errors
+            ));
 
             if (!is_array($this->_errors) || empty($this->_errors)) {
                 if (is_array($settings) && !empty($settings)) {