Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: possible XSS vulnerability of $_POST
  • Loading branch information
Bruce Xie committed Jul 24, 2022
1 parent fe44ff8 commit 2b0411b
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion settings/SettingController.php
Expand Up @@ -103,7 +103,11 @@ public function setStorageParams($params){
}
!is_dir($this->storagesDir) && mkdir($this->storagesDir, 0777);
$jsonFile = $this->storagesDir.'/storage-'.$key.'.json';
$config = json_encode($_POST, JSON_UNESCAPED_SLASHES);
$post = [];
foreach($_POST as $key=>$val){
$post[$key] = htmlspecialchars($val);
}
$config = json_encode($post, JSON_UNESCAPED_SLASHES);
//在Win中,如果从"文件→属性→安全→对象名称"中复制路径,会多出一个你看不见的字符"\u202a",只有变成
//json后才看的见它的unicode,这样会导致路径明明存在程序却说不存在的情况,所以要把这个字符在json中去掉
$config = str_replace('\u202a', '', $config);
Expand Down

0 comments on commit 2b0411b

Please sign in to comment.