From 4be6a181cbd876f75ed8c02462a74f1976494fbc Mon Sep 17 00:00:00 2001
From: Starbeamrainbowlabs <sbrl@starbeamrainbowlabs.com>
Date: Tue, 21 Sep 2021 13:29:27 +0100
Subject: [PATCH] Bugfix: XSS in format GET param of stats action

---
 Changelog.md              | 3 ++-
 modules/feature-stats.php | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index c4abd27..056ee6e 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,7 +4,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
 
 ## v0.24-dev
 
-(none yet! More improvements coming soon :D)
+### Fixed
+ - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
 
 
 ## v0.23
diff --git a/modules/feature-stats.php b/modules/feature-stats.php
index 74bf4ae..8a36b28 100644
--- a/modules/feature-stats.php
+++ b/modules/feature-stats.php
@@ -33,7 +33,7 @@
 			global $settings, $statistic_calculators;
 			
 			$allowed_formats = [ "html", "json" ];
-			$format = $_GET["format"] ?? "html";
+			$format = slugify($_GET["format"]) ?? "html";
 			
 			if(!in_array($format, $allowed_formats)) {
 				http_response_code(400);