fix cross-site scripting vulnerability

2020-04-14 12:50:19 +02:00 · 2020-04-14 12:50:19 +02:00 · 268e317ca3
parent 987d8f4c75
commit 268e317ca3
1 changed files with 1 additions and 11 deletions
--- a/pandora_console/operation/messages/message_edit.php
+++ b/pandora_console/operation/messages/message_edit.php
@ -127,17 +127,7 @@ if ($read_message) {
            ).' '.$user_name;
        }

-        $order = [
-            "\r\n",
-            "\n",
-            "\r",
-        ];
-        $replace = '<br />';
-        $parsed_message = str_replace(
-            $order,
-            $replace,
-            trim(io_safe_output($row['message']))
-        );
+        $parsed_message = nl2br(htmlspecialchars(trim(io_safe_output($row['message']))));

        echo '<div class="container">';
        echo '  <p>'.$parsed_message.'</p>';