From f95a43351dd2441daef9c509d376e6ee0fa7d603 Mon Sep 17 00:00:00 2001
From: TrystanLea <trystan.lea@gmail.com>
Date: Thu, 22 Jul 2021 13:48:09 +0100
Subject: [PATCH] reduce XSS risk of url query passthrough - revisit again

---
 Theme/theme.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Theme/theme.php b/Theme/theme.php
index c11d5682f..484ea4a2e 100644
--- a/Theme/theme.php
+++ b/Theme/theme.php
@@ -91,7 +91,7 @@
             <script>
             // Draw menu just before drawing content but after defining content-container
             var path = "<?php echo $path; ?>";
-            var q = "<?php echo $q; ?>"+location.search+location.hash;
+            var q = "<?php echo preg_replace('/[^.\/_A-Za-z0-9-]/', '', $q); ?>"+location.search+location.hash;
             menu.init(<?php echo json_encode($menu); ?>);
             </script>
             <?php echo $content; ?>