From 0207c024201eec8d3fe83d4151f8cb5165e28886 Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Wed, 30 Oct 2024 09:12:26 +0000
Subject: escape the zid parameter - issue #1877

---
 Zotlabs/Web/WebServer.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php
index 6f8a4b956..19f14ee8a 100644
--- a/Zotlabs/Web/WebServer.php
+++ b/Zotlabs/Web/WebServer.php
@@ -2,6 +2,8 @@
 
 namespace Zotlabs\Web;
 
+use Zotlabs\Lib\Text;
+
 class WebServer {
 
 	public function run() {
@@ -60,7 +62,7 @@ class WebServer {
 			\App::$query_string = strip_zids(\App::$query_string);
 			if(! local_channel()) {
 				if (!isset($_SESSION['my_address']) || $_SESSION['my_address'] != $_GET['zid']) {
-					$_SESSION['my_address'] = $_GET['zid'];
+					$_SESSION['my_address'] = Text::escape_tags($_GET['zid']);
 					$_SESSION['authenticated'] = 0;
 				}
 				if(!$_SESSION['authenticated']) {
-- 
cgit v1.2.3