From 0207c024201eec8d3fe83d4151f8cb5165e28886 Mon Sep 17 00:00:00 2001 From: Mario Date: Wed, 30 Oct 2024 09:12:26 +0000 Subject: escape the zid parameter - issue #1877 --- Zotlabs/Web/WebServer.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php index 6f8a4b956..19f14ee8a 100644 --- a/Zotlabs/Web/WebServer.php +++ b/Zotlabs/Web/WebServer.php @@ -2,6 +2,8 @@ namespace Zotlabs\Web; +use Zotlabs\Lib\Text; + class WebServer { public function run() { @@ -60,7 +62,7 @@ class WebServer { \App::$query_string = strip_zids(\App::$query_string); if(! local_channel()) { if (!isset($_SESSION['my_address']) || $_SESSION['my_address'] != $_GET['zid']) { - $_SESSION['my_address'] = $_GET['zid']; + $_SESSION['my_address'] = Text::escape_tags($_GET['zid']); $_SESSION['authenticated'] = 0; } if(!$_SESSION['authenticated']) { -- cgit v1.2.3