From 2b031e646693eac8687de8e90835fc1af4201f7f Mon Sep 17 00:00:00 2001 From: jekkos Date: Tue, 28 Sep 2021 20:42:43 +0200 Subject: [PATCH] Fix reflected XSS vulnerability --- application/controllers/Messages.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/application/controllers/Messages.php b/application/controllers/Messages.php index 0771817454..4b168624be 100644 --- a/application/controllers/Messages.php +++ b/application/controllers/Messages.php @@ -37,11 +37,11 @@ public function send() if($response) { - echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('messages_successfully_sent') . ' ' . $phone)); + echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('messages_successfully_sent') . ' ' . $this->xss_clean($phone))); } else { - echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('messages_unsuccessfully_sent') . ' ' . $phone)); + echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('messages_unsuccessfully_sent') . ' ' . $this->xss_clean($phone))); } } @@ -54,11 +54,11 @@ public function send_form($person_id = -1) if($response) { - echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('messages_successfully_sent') . ' ' . $phone, 'person_id' => $this->xss_clean($person_id))); + echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('messages_successfully_sent') . ' ' . $this->xss_clean($phone), 'person_id' => $this->xss_clean($person_id))); } else { - echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('messages_unsuccessfully_sent') . ' ' . $phone, 'person_id' => -1)); + echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('messages_unsuccessfully_sent') . ' ' . $this->xss_clean($phone), 'person_id' => -1)); } } }