diff options
| author | Andreas Gohr <gohr@cosmocode.de> | 2012-04-19 11:26:46 +0200 |
|---|---|---|
| committer | Adrian Lang <mail@adrianlang.de> | 2012-04-19 12:12:24 +0200 |
| commit | 8da915a3b9ee2964f2b44527334c0a6c30506beb (patch) | |
| tree | 9f51c2aa3bc4ba4faf4a8e8f1279ecf673c4ce0a | |
| parent | 2aff50250d74adb1b4567753ec0a4515f0529495 (diff) | |
| download | rpg-8da915a3b9ee2964f2b44527334c0a6c30506beb.tar.gz rpg-8da915a3b9ee2964f2b44527334c0a6c30506beb.tar.bz2 | |
escape target error message (SECURITY) FS#2487 FS#2488
The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.
Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site
| -rw-r--r-- | inc/html.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/inc/html.php b/inc/html.php index 1a2d7daef..304c647ed 100644 --- a/inc/html.php +++ b/inc/html.php @@ -1437,7 +1437,7 @@ function html_edit_form($param) { global $TEXT; if ($param['target'] !== 'section') { - msg('No editor for edit target ' . $param['target'] . ' found.', -1); + msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1); } $attr = array('tabindex'=>'1'); |