From 262d2388ed64148844000f1356d289a847a42799 Mon Sep 17 00:00:00 2001 From: Michael Larabel Date: Tue, 7 Sep 2021 17:50:55 -0500 Subject: [PATCH] phoromatic: Run htmlspecialchars() when printing out the passed trigger This shouldn't be much of an issue anyhow since getting to this stage firt requires having credentials / API access key, there isn't any JavaScript used besides some display elements on the Phoromatic site, and anyhow most running Phoromatic on private intranets Reported-By: wtwver on @huntr-dev --- pts-core/phoromatic/public_html/event.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pts-core/phoromatic/public_html/event.php b/pts-core/phoromatic/public_html/event.php index a2b99b72b1..71a96463e0 100644 --- a/pts-core/phoromatic/public_html/event.php +++ b/pts-core/phoromatic/public_html/event.php @@ -93,7 +93,7 @@ $stmt->bindValue(':sub_target', $sub_target); if($stmt->execute()) { - echo 'Trigger ' . $_GET['trigger'] . ' added!'; + echo 'Trigger ' . htmlspecialchars($_GET['trigger']) . ' added!'; } break;