Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: corrected potential XSS issues
  • Loading branch information
thorsten committed Jul 9, 2022
1 parent 6ccaf00 commit ff7a800
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
16 changes: 15 additions & 1 deletion phpmyfaq/admin/ajax.config_list.php
Expand Up @@ -76,9 +76,23 @@ function renderInputForm($key, $type)
$value = str_replace('"', '"', $faqConfig->get($key));
}
echo '<div class="input-group">';

switch ($key) {
case 'main.administrationMail':
$type = 'email';
break;
case 'main.referenceURL':
case 'main.privacyURL':
$type = 'url';
break;
default:
$type = 'text';
break;
}

printf(
'<input class="form-control" type="%s" name="edit[%s]" id="edit[%s]" value="%s" step="1" min="0">',
is_numeric($value) ? 'number' : 'text',
is_numeric($value) ? 'number' : $type,
$key,
$key,
$value
Expand Down
3 changes: 2 additions & 1 deletion phpmyfaq/contact.php
Expand Up @@ -18,6 +18,7 @@
use phpMyFAQ\Captcha;
use phpMyFAQ\Core\Exception;
use phpMyFAQ\Helper\CaptchaHelper;
use phpMyFAQ\Strings;
use phpMyFAQ\User\CurrentUser;

if (!defined('IS_VALID_PHPMYFAQ')) {
Expand Down Expand Up @@ -45,7 +46,7 @@
'mainPageContent',
[
'pageHeader' => $PMF_LANG['msgContact'],
'msgContactOwnText' => nl2br($faqConfig->get('main.contactInformations')),
'msgContactOwnText' => nl2br(Strings::htmlspecialchars($faqConfig->get('main.contactInformations'))),
'msgContactEMail' => $PMF_LANG['msgContactEMail'],
'msgContactPrivacyNote' => $PMF_LANG['msgContactPrivacyNote'],
'privacyURL' => $faqConfig->get('main.privacyURL'),
Expand Down

0 comments on commit ff7a800

Please sign in to comment.