From 58723938c4ac0722ab18a345d286634a9f823b39 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Thu, 19 Jul 2007 14:25:38 +0200
Subject: fix for XSS in spellchecker FS#1195

darcs-hash:20070719122538-7ad00-6c49f72bc490f27718d25f105fd762982631bd7b.gz
---
 lib/exe/spellcheck.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/exe/spellcheck.php b/lib/exe/spellcheck.php
index 65f80c5e8..aa1168136 100644
--- a/lib/exe/spellcheck.php
+++ b/lib/exe/spellcheck.php
@@ -272,7 +272,8 @@ function spell_resume(){
  * Just send data back as received for UTF-8 testing
  */
 function spell_utf8test(){
-  print $_POST['data'];
+  // we need to return the raw value - substr protects against XSS
+  print substr($_POST['data'],0,3);
 }
 
 /**
-- 
cgit v1.2.3