mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-22 04:23:01 +00:00
Bugfix: XSS in format GET param of stats action
This commit is contained in:
parent
bca154859c
commit
4be6a181cb
2 changed files with 3 additions and 2 deletions
|
@ -4,7 +4,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
||||||
|
|
||||||
## v0.24-dev
|
## v0.24-dev
|
||||||
|
|
||||||
(none yet! More improvements coming soon :D)
|
### Fixed
|
||||||
|
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
||||||
|
|
||||||
|
|
||||||
## v0.23
|
## v0.23
|
||||||
|
|
|
@ -33,7 +33,7 @@ register_module([
|
||||||
global $settings, $statistic_calculators;
|
global $settings, $statistic_calculators;
|
||||||
|
|
||||||
$allowed_formats = [ "html", "json" ];
|
$allowed_formats = [ "html", "json" ];
|
||||||
$format = $_GET["format"] ?? "html";
|
$format = slugify($_GET["format"]) ?? "html";
|
||||||
|
|
||||||
if(!in_array($format, $allowed_formats)) {
|
if(!in_array($format, $allowed_formats)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
|
|
Loading…
Reference in a new issue