From d35609f33a3679043b8fa4dc3ad2570b425c06f5 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sun, 20 Mar 2022 13:10:56 +0100 Subject: CVE-2022-27258: XSS via rpath query param. Escape URLs provided by the rpath query param in settings modules. This prevents a possible Cross-Site scripting vulnerability, where an attacker could inject web scripts and html into the settings form via the rpath query parameter, and have a user execute the script by tricking them to clicking a link. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666 --- Zotlabs/Module/Settings/Network.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Module/Settings/Network.php') diff --git a/Zotlabs/Module/Settings/Network.php b/Zotlabs/Module/Settings/Network.php index 9f5bdb2e5..89b562d90 100644 --- a/Zotlabs/Module/Settings/Network.php +++ b/Zotlabs/Module/Settings/Network.php @@ -53,7 +53,7 @@ class Network { $tpl = get_markup_template("settings_module.tpl"); $o .= replace_macros($tpl, array( - '$rpath' => $rpath, + '$rpath' => escape_url($rpath), '$action_url' => 'settings/' . $module, '$form_security_token' => get_form_security_token('settings_' . $module), '$title' => t('Stream Settings'), -- cgit v1.2.3