From ba96fa417fcd95c22cf927860352cf6757b7f7ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?= Date: Sun, 1 May 2022 13:50:23 +0200 Subject: [PATCH] Fix stored XSS security issue: decode HTML entities from URL --- CHANGES.md | 1 + functions/PreparePHP_SELF.fnc.php | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 12267bc0d..dd923fdf4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -67,6 +67,7 @@ Changes in 9.0 - Sanitize / escape URL as THEME is often included for button img src attribute in User.fnc.php - Better format for "Add another marking period" form in EditReportCardGrades.php - Fix Improper Access Control security issue: add random string to photo file name in TipMessage.fnc.php, Transcripts.fnc.php, PrintClassPictures.php, Student.php, User.php & General_Info.inc.php, thanks to @dungtuanha +- Fix stored XSS security issue: decode HTML entities from URL in PreparePHP_SELF.fnc.php, thanks to @khanhchauminh Changes in 8.9.5 ---------------- diff --git a/functions/PreparePHP_SELF.fnc.php b/functions/PreparePHP_SELF.fnc.php index 759679cfd..6585d4b97 100644 --- a/functions/PreparePHP_SELF.fnc.php +++ b/functions/PreparePHP_SELF.fnc.php @@ -173,6 +173,9 @@ function RedirectURL( $remove ) */ function URLEscape( $string ) { + // Fix stored XSS security issue: decode HTML entities from URL. + $decoded_string = html_entity_decode( $string ); + $entities = [ '%21', '%2A', @@ -223,7 +226,7 @@ function URLEscape( $string ) return str_replace( $entities, $replacements, - rawurlencode( (string) $string ) + rawurlencode( (string) $decoded_string ) ); }