diff --git a/pts-core/objects/pts_result_viewer_embed.php b/pts-core/objects/pts_result_viewer_embed.php
index 62d6d8dd9a..6116c07cbc 100644
--- a/pts-core/objects/pts_result_viewer_embed.php
+++ b/pts-core/objects/pts_result_viewer_embed.php
@@ -36,6 +36,11 @@ public function __construct(&$result_file, $public_id = null)
{
$this->result_file = &$result_file;
$this->result_public_id = $public_id;
+
+ if(isset($_SERVER['REQUEST_URI']) && !empty($_SERVER['REQUEST_URI']))
+ {
+ pts_strings::exit_if_contains_unsafe_data($_SERVER['REQUEST_URI']);
+ }
}
public function allow_modifying_results($can_modify)
{
diff --git a/pts-core/objects/pts_strings.php b/pts-core/objects/pts_strings.php
index cca6e6d25b..3f452507cc 100644
--- a/pts-core/objects/pts_strings.php
+++ b/pts-core/objects/pts_strings.php
@@ -791,6 +791,22 @@ public static function safety_strings_to_reject()
{
return array('<', '>', 'document.write', '../', 'onerror', 'onload', 'alert(', 'String.', 'confirm(', 'focus=', '<', '>', '');
}
+ public static function exit_if_contains_unsafe_data($check, $exit_msg = 'Exited due to suspicious URL.')
+ {
+ if(empty($check))
+ {
+ return;
+ }
+
+ foreach(pts_strings::safety_strings_to_reject() as $invalid_string)
+ {
+ if(stripos($check, $invalid_string) !== false)
+ {
+ echo '' . $exit_msg . '';
+ exit;
+ }
+ }
+ }
}
?>
diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php
index 7a691a4515..74ccc5444c 100644
--- a/pts-core/phoromatic/phoromatic_functions.php
+++ b/pts-core/phoromatic/phoromatic_functions.php
@@ -87,6 +87,11 @@ function phoromatic_init_web_page_setup()
include('../../pts-core.php');
pts_core::init();
+
+ if(isset($_SERVER['REQUEST_URI']) && !empty($_SERVER['REQUEST_URI']))
+ {
+ pts_strings::exit_if_contains_unsafe_data($_SERVER['REQUEST_URI']);
+ }
}
function phoromatic_webui_header($left_items, $right = null)
{
diff --git a/pts-core/phoromatic/public_html/public.php b/pts-core/phoromatic/public_html/public.php
index 783149f545..6fe0609dfc 100644
--- a/pts-core/phoromatic/public_html/public.php
+++ b/pts-core/phoromatic/public_html/public.php
@@ -178,7 +178,7 @@
$result_limit = isset($_POST['result_limit']) && is_numeric($_POST['result_limit']) && $_POST['result_limit'] > 9 ? $_POST['result_limit'] : 50;
$main .= '
';
- $main .= '