From 91e567d2bbd13fb90065dac6538b46ddc1aff878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hhmer?= Date: Wed, 19 Jan 2022 18:46:07 +0100 Subject: [PATCH] Fix an XSS issue in install.php --- install.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/install.php b/install.php index a069a8f7a..1da652818 100644 --- a/install.php +++ b/install.php @@ -155,7 +155,7 @@ $config['installation_complete']['database'] = true; // database settings successful set $config['installation_complete']['db_backup_path'] = true; //Workaround, because we removed the dialog for this } catch (Exception $e) { - $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red'); + $messages[] = array('text' => nl2br(htmlentities($e->getMessage())), 'strong' => true, 'color' => 'red'); } break; @@ -166,7 +166,7 @@ $config['installation_complete']['db_backup_path'] = true; // database backup path successful set } catch (Exception $e) { - $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red'); + $messages[] = array('text' => nl2br(htmlentities($e->getMessage())), 'strong' => true, 'color' => 'red'); } break; @@ -179,7 +179,7 @@ try { saveConfig(); } catch (Exception $e) { - $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red'); + $messages[] = array('text' => nl2br(htmlentities($e->getMessage())), 'strong' => true, 'color' => 'red'); $fatal_error = true; } @@ -228,7 +228,7 @@ $tmpl_site_to_show = 'finish'; } } catch (Exception $e) { - $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red'); + $messages[] = array('text' => nl2br(htmlspecialchars($e->getMessage())), 'strong' => true, 'color' => 'red'); $fatal_error = true; } }