From cee4021f2aec53ea869d552e05494bf7718c81cf Mon Sep 17 00:00:00 2001
From: Ignacio Nelson <info@subwaydesign.com.ar>
Date: Mon, 26 Jul 2021 16:24:50 -0300
Subject: [PATCH] Prevent XSS

Report: https://www.huntr.dev/bounties/1625236769375-projectsend/projectsend/
---
 manage-files.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/manage-files.php b/manage-files.php
index c6b8a703..9ccc1538 100644
--- a/manage-files.php
+++ b/manage-files.php
@@ -27,7 +27,9 @@
  * Then get_client_by_id() gets all the other account values.
  */
 if (isset($_GET['client'])) {
-    $this_id = $_GET['client'];
+    if (!is_numeric($_GET['client'])) { exit; }
+
+    $this_id = (int)$_GET['client'];
     $this_client = get_client_by_id($this_id);
     
     /** Add the name of the client to the page's title. */