dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 85f9ba1)
Close the web page when it is disabled.
authorPlatonides <platonides@users.mediawiki.org>
Mon, 26 Jul 2010 17:41:14 +0000 (17:41 +0000)
committerPlatonides <platonides@users.mediawiki.org>
Mon, 26 Jul 2010 17:41:14 +0000 (17:41 +0000)
Fix XSS in filter parameter. Normal setups (with $wgEnableProfileInfo = false) are not affected.

profileinfo.php patch | blob | history

diff --git a/profileinfo.php b/profileinfo.php
index cd324f9..9ef91a4 100644 (file)
--- a/profileinfo.php
+++ b/profileinfo.php
@@ -65,7 +65,8 @@ require_once( './includes/WebStart.php' );
 <?php
 
 if ( !$wgEnableProfileInfo ) {
-       echo "disabled\n";
+       echo "<p>Disabled</p>\n";
+       echo "</body></html>";
        exit( 1 );
 }
 
@@ -251,8 +252,8 @@ function makeurl( $_filter = false, $_sort = false, $_expand = false ) {
        if ( $_expand === false )
                $_expand = $expand;
 
-       $nfilter = $_filter ? $_filter : $filter;
-       $nsort = $_sort ? $_sort : $sort;
+       $nfilter = $_filter ? htmlspecialchars( $_filter ) : htmlspecialchars( $filter );
+       $nsort = $_sort ? htmlspecialchars( $_sort ) : htmlspecialchars( $sort );
        $exp = urlencode( implode( ',', array_keys( $_expand ) ) );
        return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
 }
Wiklou, le Wiki du Wiklou