From 29301f5d08a845b219eb7213d62bf5a11235dff0 Mon Sep 17 00:00:00 2001
From: Greg Hormann <ghormann@gmail.com>
Date: Fri, 2 Jul 2021 19:15:48 -0400
Subject: [PATCH] saveSettings xss
 https://www.huntr.dev/bounties/1624827860695-FalconChristmas/fpp/

---
 www/fppjson.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/www/fppjson.php b/www/fppjson.php
index 051761a8f..3ba64d303 100644
--- a/www/fppjson.php
+++ b/www/fppjson.php
@@ -153,9 +153,9 @@ function SetPluginSetting()
 {
 	global $args;
 
-	$setting = $args['key'];
-	$value   = $args['value'];
-	$plugin  = $args['plugin'];
+	$setting = htmlspecialchars($args['key']);
+	$value   = htmlspecialchars($args['value']);
+	$plugin  = htmlspecialchars($args['plugin']);
 
 	check($setting, "setting", __FUNCTION__);
 	check($value, "value", __FUNCTION__);
@@ -659,8 +659,8 @@ function SetSetting()
 {
 	global $args, $SUDO;
 
-	$setting = $args['key'];
-	$value   = $args['value'];
+	$setting = htmlspecialchars($args['key']);
+	$value   = htmlspecialchars($args['value']);
 
 	check($setting, "setting", __FUNCTION__);
 	check($value, "value", __FUNCTION__);