From 970a119f235d18e117c3acbb41d8bc8d7a43990c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Zapletal?= Date: Fri, 3 Jun 2016 16:20:34 +0200 Subject: [PATCH] fix non-persistent XSS due inproper content escaping --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.php b/index.php index da6bba42..423f8fd8 100644 --- a/index.php +++ b/index.php @@ -302,7 +302,7 @@ if ($action == 'login') { } $lastqrystr = ""; if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") { - $lastqrystr = strip_tags($_REQUEST['qrystr']); + $lastqrystr = htmlspecialchars($_REQUEST['qrystr'], ENT_QUOTES); } eval("echo \"" . getTemplate('login') . "\";");