fix: Sanitize 'sortby' variable in ZoneTemplate to prevent XSS

poweradmin · Dec 2, 2023 · 12e8ebf · 12e8ebf
1 parent 61c3ed7
commit 12e8ebf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/ZoneTemplate.php b/lib/ZoneTemplate.php
@@ -248,7 +248,7 @@ public static function get_zone_templ_records($db, int $id, int $rowstart = 0, i
         $db->setLimit($rowamount, $rowstart);
 
         $allowedSortColumns = ['name', 'type', 'content', 'priority', 'ttl'];
-        $sortby = in_array($sortby, $allowedSortColumns) ? $sortby : 'name';
+        $sortby = in_array($sortby, $allowedSortColumns) ? htmlspecialchars($sortby) : 'name';
 
         $stmt = $db->prepare("SELECT id FROM zone_templ_records WHERE zone_templ_id = :id ORDER BY " . $sortby);
         $stmt->execute([':id' => $id]);