From 25df78337800e62117dbf1b7a1565bc449331307 Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Sat, 11 Sep 2021 20:03:05 +0100
Subject: [PATCH] Apply htmlentities in a couple of places to prevent xss

Co-authored-by: wtwver <wtwver@users.noreply.github.com>
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 scripts/pi-hole/php/func.php | 1 +
 settings.php                 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/pi-hole/php/func.php b/scripts/pi-hole/php/func.php
index 12e410618..4d79872b1 100644
--- a/scripts/pi-hole/php/func.php
+++ b/scripts/pi-hole/php/func.php
@@ -472,6 +472,7 @@ function returnSuccess($message = "", $json = true)
 
 function returnError($message = "", $json = true)
 {
+    $message = htmlentities($message) ;
     if ($json) {
         return [ "success" => false, "message" => $message ];
     } else {
diff --git a/settings.php b/settings.php
index d08d17fb3..a3ce919a3 100644
--- a/settings.php
+++ b/settings.php
@@ -41,7 +41,7 @@
         <button type="button" class="close" data-hide="alert" aria-label="Close"><span aria-hidden="true">&times;</span>
         </button>
         <h4><i class="icon fa fa-exclamation-triangle"></i> Debug</h4>
-        <pre><?php print_r($_POST); ?></pre>
+        <pre><?php print_r(htmlentities($_POST)); ?></pre>
     </div>
 <?php } ?>