From fc7e1a026735b93f0e0047700d08c44954fce9ce Mon Sep 17 00:00:00 2001
From: Bozhidar Slaveykov <bobi@microweber.com>
Date: Wed, 19 Jan 2022 12:33:18 +0200
Subject: [PATCH] fix xss on module api call in value parameters

---
 .../App/Http/Controllers/ApiController.php                | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/MicroweberPackages/App/Http/Controllers/ApiController.php b/src/MicroweberPackages/App/Http/Controllers/ApiController.php
index 7973615d77b..6d628263d5b 100644
--- a/src/MicroweberPackages/App/Http/Controllers/ApiController.php
+++ b/src/MicroweberPackages/App/Http/Controllers/ApiController.php
@@ -17,9 +17,6 @@
 class ApiController  extends FrontendController
 {
 
-
-
-
     public function api_html()
     {
         if (!defined('MW_API_HTML_OUTPUT')) {
@@ -609,12 +606,14 @@ public function module()
 
         $request_data = array_merge($_GET, $_POST);
 
-
         // sanitize attributes
         if($request_data){
             $request_data_new = [];
             $antixss = new AntiXSS();
             foreach ($request_data as $k=>$v){
+
+                $v = $antixss->xss_clean($v);
+
                 if(is_string($k)){
                     $k = $antixss->xss_clean($k);
                     if($k){
@@ -623,6 +622,7 @@ public function module()
                 } else {
                     $request_data_new[$k] = $v;
                 }
+                
             }
             $request_data = $request_data_new;
         }