From 63e9a247c072008a031f9db39fa496f6aca489b6 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 3 Sep 2022 18:51:00 +0200
Subject: [PATCH] SECURITY fix difftype handling. #3761

---
 inc/Ui/PageDiff.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/inc/Ui/PageDiff.php b/inc/Ui/PageDiff.php
index fe98d296cc..92aacb76a4 100644
--- a/inc/Ui/PageDiff.php
+++ b/inc/Ui/PageDiff.php
@@ -105,13 +105,14 @@ protected function handle()
         }
 
         // requested diff view type
+        $mode = '';
         if ($INPUT->has('difftype')) {
-            $this->preference['difftype'] = $INPUT->str('difftype');
+            $mode = $INPUT->str('difftype');
         } else {
             // read preference from DokuWiki cookie. PageDiff only
             $mode = get_doku_pref('difftype', null);
-            if (isset($mode)) $this->preference['difftype'] = $mode;
         }
+        if(in_array($mode, ['inline','sidebyside'])) $this->preference['difftype'] = $mode;
 
         if (!$INPUT->has('rev') && !$INPUT->has('rev2')) {
             global $INFO, $REV;
@@ -222,7 +223,7 @@ public function show()
 
         // display diff view table
         echo '<div class="table">';
-        echo '<table class="diff diff_'.$this->preference['difftype'] .'">';
+        echo '<table class="diff diff_'.hsc($this->preference['difftype']) .'">';
 
         //navigation and header
         switch ($this->preference['difftype']) {