sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-10-31 21:33:00 +00:00
Code Activity

Bugfix: XSS in format GET param of stats action

Browse source
This commit is contained in:
Starbeamrainbowlabs 2021-09-21 13:29:27 +01:00
parent bca154859c
commit 4be6a181cb
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Changelog.md
View file

@ -4,7 +4,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## v0.24-dev ## v0.24-dev
(none yet! More improvements coming soon :D) ### Fixed
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
## v0.23 ## v0.23

2
modules/feature-stats.php
View file

@ -33,7 +33,7 @@ register_module([
global $settings, $statistic_calculators; global $settings, $statistic_calculators;
$allowed_formats = [ "html", "json" ]; $allowed_formats = [ "html", "json" ];
$format = $_GET["format"] ?? "html"; $format = slugify($_GET["format"]) ?? "html";
if(!in_array($format, $allowed_formats)) { if(!in_array($format, $allowed_formats)) {
http_response_code(400); http_response_code(400);