From 8e736ba9b0a4d2d33bac30844a5e8756182eb0fc Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 7 Sep 2021 18:58:05 +0200
Subject: [PATCH] [Web] Fix potential XSS in autodiscover-json.php

---
 data/web/autodiscover-json.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/autodiscover-json.php b/data/web/autodiscover-json.php
index e1749b7518..2fa96990eb 100644
--- a/data/web/autodiscover-json.php
+++ b/data/web/autodiscover-json.php
@@ -16,6 +16,6 @@
 }
 else {
   http_response_code(400);
-  echo '{"ErrorCode":"InvalidProtocol","ErrorMessage":"The given protocol value \u0027' . $_GET['Protocol'] . '\u0027 is invalid. Supported values are \u0027ActiveSync,AutodiscoverV1\u0027"}';
+  echo '{"ErrorCode":"InvalidProtocol","ErrorMessage":"The given protocol value \u0027' . preg_replace("/[^\da-z]/i", '', $_GET['Protocol']) . '\u0027 is invalid. Supported values are \u0027ActiveSync,AutodiscoverV1\u0027"}';
 }
 ?>