Changeset 3746:0cae5565cdc8 for inc

Timestamp:

03/30/18 13:36:59 (8 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Fix potential reflective XSS, thank's Zekvan Arslan for report (via Daniel Bishtawi from https://www.netsparker.com/)

File:

inc/admin/lib.pager.php

-                      r3731
+                      r3746
             unset($args['ok']);
+        }
         $this->form_hidden = '';
         foreach ($args as $k => $v) {
+            if (is_array($v)) {
+                foreach ($v as $k2 => $v2) {
+                    $this->form_hidden .= form::hidden(array($k . '[]'), html::escapeHTML($v2));
+            // Check parameter key (will prevent some forms of XSS)
+            if ($k === preg_replace('`[^A-Za-z0-9_-]`', '', $k)) {
+                if (is_array($v)) {
+                    foreach ($v as $k2 => $v2) {
+                        $this->form_hidden .= form::hidden(array($k . '[]'), html::escapeHTML($v2));
+                    }
+                } else {
+                    $this->form_hidden .= form::hidden(array($k), html::escapeHTML($v));
+                }
-            } else {
-                $this->form_hidden .= form::hidden(array($k), html::escapeHTML($v));
+            }
+        }

Note: See TracChangeset for help on using the changeset viewer.