xss: Organization Search q

This mitigates a vulnerability reported by @indevi0us where XSS is possible via the `q` parameter in organization lookups. This sanitizes the parameter value before use as well as htmlchars it before adding to JSON output.
osTicket · Mar 8, 2023 · daee20f · daee20f
1 parent ec60439
commit daee20f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/include/ajax.orgs.php b/include/ajax.orgs.php
@@ -30,7 +30,7 @@ function search($type = null) {
         if (!$_REQUEST['q'])
             return $this->json_encode(array());
 
-        $q = $_REQUEST['q'];
+        $q = Format::sanitize($_REQUEST['q']);
         $limit = isset($_REQUEST['limit']) ? (int) $_REQUEST['limit']:25;
 
         if (strlen(Format::searchable($q)) < 3)
@@ -55,7 +55,7 @@ function search($type = null) {
         foreach ($orgs as $O) {
             list($id, $name) = $O;
             $matched[] = array('name' => Format::htmlchars($name), 'info' => $name,
-                'id' => $id, '/bin/true' => $_REQUEST['q']);
+                'id' => $id, '/bin/true' => Format::htmlchars($q));
         }
 
         return $this->json_encode(array_values($matched));