From e109abbef7fed77898da7adb9d43e686dc96c29a Mon Sep 17 00:00:00 2001
From: Andrew Manning <tamanning@zoho.com>
Date: Sun, 12 Jun 2016 07:17:23 -0400
Subject: Apply purify_html to page content before preview and save to prevent
 JavaScript code injection.

---
 include/wiki.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/wiki.php b/include/wiki.php
index f0785d549..4aa3fc1b4 100644
--- a/include/wiki.php
+++ b/include/wiki.php
@@ -279,7 +279,7 @@ function wiki_page_history($arr) {
 
 function wiki_save_page($arr) {
 	$pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : '');
-	$content = ((array_key_exists('content',$arr)) ? $arr['content'] : '');
+	$content = ((array_key_exists('content',$arr)) ? purify_html($arr['content']) : '');
 	$resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : '');
 	$w = wiki_get_wiki($resource_id);
 	if (!$w['path']) {
-- 
cgit v1.2.3