From 921608c01ab530a2fbb3057e5ebbbcb2112698d4 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Thu, 10 Mar 2022 15:35:14 +0100 Subject: Security: Escape imported dates before outputing in error messages. --- includes/admin/views/giglog_import_gigs.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'includes') diff --git a/includes/admin/views/giglog_import_gigs.php b/includes/admin/views/giglog_import_gigs.php index afcc632..e68c07c 100644 --- a/includes/admin/views/giglog_import_gigs.php +++ b/includes/admin/views/giglog_import_gigs.php @@ -79,8 +79,7 @@ if ( !class_exists( 'GiglogAdmin_ImportGigsPage' ) ) { //Below only checks if the date field is made of 4-2-2 digits, irregardless of their values. Actual date check is lower if( ! preg_match("/\d{4}\-\d{2}-\d{2}/",$resultArray[3])) { - $importerrors.= 'Row '.$rid.' has invalid date!'.$resultArray[3]."
"; - + $importerrors.= 'Row '.$rid.' has invalid date!'.esc_html($resultArray[3])."
"; continue; } else { @@ -99,7 +98,7 @@ if ( !class_exists( 'GiglogAdmin_ImportGigsPage' ) ) { else { $condate = date('Y-m-d', strtotime($resultArray[3])); if ($condate"; + $importerrors.= 'Row '.$rid.' has date in the past!' . esc_html($resultArray[3]) . "
"; continue; } else { -- cgit v1.2.3