Bug#717082: XSS on developer.php

To: 717082@bugs.debian.org
Subject: Bug#717082: XSS on developer.php
From: Daniel Lintott <daniel@serverb.co.uk>
Date: Tue, 16 Sep 2014 18:25:57 +0100
Message-id: <[🔎] 541872A5.5000601@serverb.co.uk>
Reply-to: Daniel Lintott <daniel@serverb.co.uk>, 717082@bugs.debian.org

Control: tags -1 + patch

Attached is a patch that prevents the XSS flaws previously mentioned.

Regards,

Daniel

Index: common-html.php
===================================================================
--- common-html.php	(revision 3261)
+++ common-html.php	(working copy)
@@ -398,7 +398,7 @@
     {
         if (($key == 'login') or ($key == 'package') or ($key == 'gpg_key'))
         {
-            $action .= html_input_hidden($key,$_GET[$key]);
+            $action .= html_input_hidden($key,htmlspecialchars($_GET[$key]));
         }
     }
     return $action;

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Prev by Date: Bug#761697: DDPO: showing package adopted by third-party as being mine
Next by Date: Processed: XSS on developer.php
Previous by thread: Processed: retitle 761861 to debsources: allow to override detected language type
Next by thread: Processed: XSS on developer.php
Index(es):
- Date
- Thread