Merge pull request #357 from yaplik/master

fix non-persistent XSS due inproper content escaping
2016-06-03 16:29:28 +02:00
parent 7faebbb197 970a119f23
commit 85f707af8a
1 changed files with 1 additions and 1 deletions
--- a/index.php
+++ b/index.php
@@ -302,7 +302,7 @@ if ($action == 'login') {
 		}
 		$lastqrystr = "";
 		if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
-			$lastqrystr = strip_tags($_REQUEST['qrystr']);
+			$lastqrystr = htmlspecialchars($_REQUEST['qrystr'], ENT_QUOTES);
 		}

 		eval("echo \"" . getTemplate('login') . "\";");