From 94143a4299e386f33bf582139cd4702571d93bde Mon Sep 17 00:00:00 2001
From: Steve Hannah <steve@weblite.ca>
Date: Mon, 4 Oct 2021 10:13:39 -0700
Subject: [PATCH] Fixed XSS vulnerability reported by hitisec.  This is low
 threat since it is in the installer, which is disabled by default, and should
 only be enabled temporarily by trusted parties.  E.g. in order to even reach
 the vulnerability, the user would need to have a valid username/password for
 the MySQL database.

---
 install/install_form.js.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/install/install_form.js.php b/install/install_form.js.php
index dc0ffb02..3cfdfff7 100644
--- a/install/install_form.js.php
+++ b/install/install_form.js.php
@@ -15,8 +15,8 @@ function testftp(form){
 	
 	postDataReturnText('installer.php','-action=testftp&-ftphost='+escape(form.ftp_host.value)+'&-ftpuser='+escape(form.ftp_username.value)+'&-ftppass='+escape(form.ftp_password.value)+'&-ftppath='+escape(form.ftp_path.value), function(result){
 		var resultDiv = document.getElementById('ftp-test-results');
-		eval('var results = '+result+';');
-		resultDiv.innerHTML = results.message;
+		var results = JSON.parse(result);
+		resultDiv.innerText = results.message;
 		});
 	
 
@@ -24,9 +24,8 @@ function testftp(form){
 
 function testdb(form){
 	postDataReturnText('installer.php','-action=testdb&-dbname='+escape(form.database_name.options[form.database_name.selectedIndex].value)+'&-dbuser='+escape(form.mysql_user.value)+'&-dbpass='+escape(form.mysql_password.value), function(result){
-		var resultDiv = document.getElementById('db-test-results');
-		eval('var results = '+result+';');
-		resultDiv.innerHTML = results.message;
+        var results = JSON.parse(result);
+		resultDiv.innerText = results.message;
 	});
 }