From 8fbf87e19a6098972abc7521554db5757c3edd89 Mon Sep 17 00:00:00 2001 From: Gary Allan Date: Fri, 3 Feb 2023 21:37:09 +0000 Subject: [PATCH] Bugfix: XSS (reflected) by invalid email address response Reported by ZenalArifin --- app/subnets/addresses/mail-notify-check.php | 2 +- app/tools/temp-shares/edit-result.php | 2 +- misc/CHANGELOG | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/subnets/addresses/mail-notify-check.php b/app/subnets/addresses/mail-notify-check.php index 69e37f0b9..42463ff09 100644 --- a/app/subnets/addresses/mail-notify-check.php +++ b/app/subnets/addresses/mail-notify-check.php @@ -21,7 +21,7 @@ # verify each recipient foreach (explode(",", $_POST['recipients']) as $rec) { if(!filter_var(trim($rec), FILTER_VALIDATE_EMAIL)) { - $Result->show("danger", _("Invalid email address")." - ".$rec, true); + $Result->show("danger", _("Invalid email address")." - ".escape_input($rec), true); } } # strip html tags diff --git a/app/tools/temp-shares/edit-result.php b/app/tools/temp-shares/edit-result.php index 31ca83b7c..27f7db9f1 100644 --- a/app/tools/temp-shares/edit-result.php +++ b/app/tools/temp-shares/edit-result.php @@ -27,7 +27,7 @@ # verify each recipient if(strlen($_POST['email'])>0) { foreach (explode(",", $_POST['email']) as $rec) { - if(!filter_var(trim($rec), FILTER_VALIDATE_EMAIL)) { $Result->show("danger", _("Invalid email address")." - ".$rec, true); } + if(!filter_var(trim($rec), FILTER_VALIDATE_EMAIL)) { $Result->show("danger", _("Invalid email address")." - ".escape_input($rec), true); } } } diff --git a/misc/CHANGELOG b/misc/CHANGELOG index fa6200ceb..751beb65c 100755 --- a/misc/CHANGELOG +++ b/misc/CHANGELOG @@ -3,6 +3,7 @@ Security Fixes: ---------------------------- + XSS (reflected) in 'bw-calulator-result.php'; + + XSS (reflected) by invalid email address response; + Restrict find_full_subnets.php to CLI; == 1.5.0