diff options
| author | Andreas Gohr <gohr@cosmocode.de> | 2012-04-19 11:26:46 +0200 |
|---|---|---|
| committer | Andreas Gohr <gohr@cosmocode.de> | 2012-04-19 11:26:46 +0200 |
| commit | ff71173477e54774b5571015d49d944f51cb8a26 (patch) | |
| tree | c3f34a854f77399167081a87e7c66d1f29ce4972 | |
| parent | 56ef9b96cf85ba4b1e5df37ac113143f102d3642 (diff) | |
| download | rpg-ff71173477e54774b5571015d49d944f51cb8a26.tar.gz rpg-ff71173477e54774b5571015d49d944f51cb8a26.tar.bz2 | |
escape target error message (SECURITY) FS#2487 FS#2488
The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.
Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site
| -rw-r--r-- | inc/html.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/inc/html.php b/inc/html.php index b233e1d92..022cd792a 100644 --- a/inc/html.php +++ b/inc/html.php @@ -1436,7 +1436,7 @@ function html_edit_form($param) { global $TEXT; if ($param['target'] !== 'section') { - msg('No editor for edit target ' . $param['target'] . ' found.', -1); + msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1); } $attr = array('tabindex'=>'1'); |