sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code

Bugfix: XSS in format GET param of stats action

This commit is contained in:
Starbeamrainbowlabs 2021-09-21 13:29:27 +01:00
parent bca154859c
commit 4be6a181cb
Signed by: sbrl
GPG Key ID: 1BE5172E637709C2
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Changelog.md
View File

@ -4,7 +4,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## v0.24-dev
(none yet! More improvements coming soon :D)
### Fixed
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
## v0.23

2
modules/feature-stats.php
View File

@ -33,7 +33,7 @@ register_module([
global $settings, $statistic_calculators;
$allowed_formats = [ "html", "json" ];
$format = $_GET["format"] ?? "html";
$format = slugify($_GET["format"]) ?? "html";
if(!in_array($format, $allowed_formats)) {
http_response_code(400);