aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Settings/Channel_home.php
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2022-03-20 13:10:56 +0100
committerHarald Eilertsen <haraldei@anduin.net>2022-03-20 15:34:24 +0100
commitd35609f33a3679043b8fa4dc3ad2570b425c06f5 (patch)
treef2b2e593b12c66b00e1958eaeff48a1f2000ece8 /Zotlabs/Module/Settings/Channel_home.php
parent8c19ab8f9f47a522ad2b929495f3b5821efd2f34 (diff)
downloadvolse-hubzilla-d35609f33a3679043b8fa4dc3ad2570b425c06f5.tar.gz
volse-hubzilla-d35609f33a3679043b8fa4dc3ad2570b425c06f5.tar.bz2
volse-hubzilla-d35609f33a3679043b8fa4dc3ad2570b425c06f5.zip
CVE-2022-27258: XSS via rpath query param.
Escape URLs provided by the rpath query param in settings modules. This prevents a possible Cross-Site scripting vulnerability, where an attacker could inject web scripts and html into the settings form via the rpath query parameter, and have a user execute the script by tricking them to clicking a link. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
Diffstat (limited to 'Zotlabs/Module/Settings/Channel_home.php')
-rw-r--r--Zotlabs/Module/Settings/Channel_home.php8
1 files changed, 4 insertions, 4 deletions
diff --git a/Zotlabs/Module/Settings/Channel_home.php b/Zotlabs/Module/Settings/Channel_home.php
index e8faa7fb2..3948563dc 100644
--- a/Zotlabs/Module/Settings/Channel_home.php
+++ b/Zotlabs/Module/Settings/Channel_home.php
@@ -13,7 +13,7 @@ class Channel_home {
$module = substr(strrchr(strtolower(static::class), '\\'), 1);
check_form_security_token_redirectOnErr('/settings/' . $module, 'settings_' . $module);
-
+
$features = get_module_features($module);
process_module_features_post(local_channel(), $features, $_POST);
@@ -25,7 +25,7 @@ class Channel_home {
$channel_menu = ((x($_POST['channel_menu'])) ? htmlspecialchars_decode(trim($_POST['channel_menu']),ENT_QUOTES) : '');
set_pconfig(local_channel(),'system','channel_menu',$channel_menu);
-
+
Libsync::build_sync_packet();
if($_POST['rpath'])
@@ -82,7 +82,7 @@ class Channel_home {
$tpl = get_markup_template("settings_module.tpl");
$o .= replace_macros($tpl, array(
- '$rpath' => $rpath,
+ '$rpath' => escape_url($rpath),
'$action_url' => 'settings/' . $module,
'$form_security_token' => get_form_security_token('settings_' . $module),
'$title' => t('Channel Home Settings'),
@@ -90,7 +90,7 @@ class Channel_home {
'$extra_settings_html' => $extra_settings_html,
'$submit' => t('Submit')
));
-
+
return $o;
}