mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-10-31 21:33:00 +00:00
Bugfix: XSS in format GET param of stats action
This commit is contained in:
parent
bca154859c
commit
4be6a181cb
2 changed files with 3 additions and 2 deletions
|
@ -4,7 +4,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
|||
|
||||
## v0.24-dev
|
||||
|
||||
(none yet! More improvements coming soon :D)
|
||||
### Fixed
|
||||
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
||||
|
||||
|
||||
## v0.23
|
||||
|
|
|
@ -33,7 +33,7 @@ register_module([
|
|||
global $settings, $statistic_calculators;
|
||||
|
||||
$allowed_formats = [ "html", "json" ];
|
||||
$format = $_GET["format"] ?? "html";
|
||||
$format = slugify($_GET["format"]) ?? "html";
|
||||
|
||||
if(!in_array($format, $allowed_formats)) {
|
||||
http_response_code(400);
|
||||
|
|
Loading…
Reference in a new issue