diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2007-07-19 14:25:38 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2007-07-19 14:25:38 +0200 |
| commit | 58723938c4ac0722ab18a345d286634a9f823b39 (patch) | |
| tree | 8c81d34022ba34918ad1c3b7bb3470f0a693c978 | |
| parent | 72de906899b8636e7c60c79f81509d00d9b7bd2b (diff) | |
| download | rpg-58723938c4ac0722ab18a345d286634a9f823b39.tar.gz rpg-58723938c4ac0722ab18a345d286634a9f823b39.tar.bz2 | |
fix for XSS in spellchecker FS#1195
darcs-hash:20070719122538-7ad00-6c49f72bc490f27718d25f105fd762982631bd7b.gz
| -rw-r--r-- | conf/msg | 2 | ||||
| -rw-r--r-- | lib/exe/spellcheck.php | 3 |
2 files changed, 3 insertions, 2 deletions
@@ -1,4 +1,4 @@ -9 +10 The first line of this file contains a number, indicating which notification messages should not be displayed. This is the only information sent to dokuwiki.org when the diff --git a/lib/exe/spellcheck.php b/lib/exe/spellcheck.php index 65f80c5e8..aa1168136 100644 --- a/lib/exe/spellcheck.php +++ b/lib/exe/spellcheck.php @@ -272,7 +272,8 @@ function spell_resume(){ * Just send data back as received for UTF-8 testing */ function spell_utf8test(){ - print $_POST['data']; + // we need to return the raw value - substr protects against XSS + print substr($_POST['data'],0,3); } /** |