From 7b4793cae59f96252608b6e71e6cc62a5f96d5a1 Mon Sep 17 00:00:00 2001
From: Ignacio Nelson <info@subwaydesign.com.ar>
Date: Tue, 27 Jul 2021 17:50:12 -0300
Subject: [PATCH] Prevent XSS via current section variable

---
 email-templates.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/email-templates.php b/email-templates.php
index 198c4cb0d..ed0160abb 100644
--- a/email-templates.php
+++ b/email-templates.php
@@ -11,6 +11,22 @@
 
 $section = ( !empty( $_GET['section'] ) ) ? $_GET['section'] : $_POST['section'];
 
+$allowed_sections = [
+    'header_footer',
+    'new_files_by_user',
+    'new_files_by_client',
+    'new_client',
+    'new_client_self',
+    'account_approve',
+    'account_deny',
+    'new_user',
+    'password_reset',
+    'client_edited',
+];
+if (!in_array($section, $allowed_sections)) {
+    $section = 'header_footer';
+}
+
 switch ( $section ) {
     case 'header_footer':
         $section_title	= __('Header / footer','cftp_admin');