From ff71173477e54774b5571015d49d944f51cb8a26 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <gohr@cosmocode.de>
Date: Thu, 19 Apr 2012 11:26:46 +0200
Subject: escape target error message (SECURITY) FS#2487 FS#2488

The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.

Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site
---
 inc/html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/html.php')

diff --git a/inc/html.php b/inc/html.php
index b233e1d92..022cd792a 100644
--- a/inc/html.php
+++ b/inc/html.php
@@ -1436,7 +1436,7 @@ function html_edit_form($param) {
     global $TEXT;
 
     if ($param['target'] !== 'section') {
-        msg('No editor for edit target ' . $param['target'] . ' found.', -1);
+        msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1);
     }
 
     $attr = array('tabindex'=>'1');
-- 
cgit v1.2.3