diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 13:10:56 +0100 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 15:34:24 +0100 |
| commit | d35609f33a3679043b8fa4dc3ad2570b425c06f5 (patch) | |
| tree | f2b2e593b12c66b00e1958eaeff48a1f2000ece8 /Zotlabs/Module/Settings/Directory.php | |
| parent | 8c19ab8f9f47a522ad2b929495f3b5821efd2f34 (diff) | |
| download | volse-hubzilla-d35609f33a3679043b8fa4dc3ad2570b425c06f5.tar.gz volse-hubzilla-d35609f33a3679043b8fa4dc3ad2570b425c06f5.tar.bz2 volse-hubzilla-d35609f33a3679043b8fa4dc3ad2570b425c06f5.zip | |
CVE-2022-27258: XSS via rpath query param.
Escape URLs provided by the rpath query param in settings modules. This
prevents a possible Cross-Site scripting vulnerability, where an
attacker could inject web scripts and html into the settings form via
the rpath query parameter, and have a user execute the script by
tricking them to clicking a link.
Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
Diffstat (limited to 'Zotlabs/Module/Settings/Directory.php')
| -rw-r--r-- | Zotlabs/Module/Settings/Directory.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Zotlabs/Module/Settings/Directory.php b/Zotlabs/Module/Settings/Directory.php index d1dd0677e..b36b0c318 100644 --- a/Zotlabs/Module/Settings/Directory.php +++ b/Zotlabs/Module/Settings/Directory.php @@ -34,14 +34,14 @@ class Directory { $tpl = get_markup_template("settings_module.tpl"); $o .= replace_macros($tpl, array( - '$rpath' => $rpath, + '$rpath' => escape_url($rpath), '$action_url' => 'settings/' . $module, '$form_security_token' => get_form_security_token('settings_' . $module), '$title' => t('Directory Settings'), '$features' => process_module_features_get(local_channel(), $features), '$submit' => t('Submit') )); - + return $o; } |