Bugfix: XSS in format GET param of stats action

Changelog.md

@@ -4,7 +4,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
 
 ## v0.24-dev
 
-(none yet! More improvements coming soon :D)
+### Fixed
+ - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
 
 
 ## v0.23

modules/feature-stats.php

@@ -33,7 +33,7 @@
 			global $settings, $statistic_calculators;
 
 			$allowed_formats = [ "html", "json" ];
-			$format = $_GET["format"] ?? "html";
+			$format = slugify($_GET["format"]) ?? "html";
 
 			if(!in_array($format, $allowed_formats)) {
 				http_response_code(400);