From cf2fda66e2f359e50e2ac255f731509c35ff48fe Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 4 Apr 2024 09:31:20 +0200 Subject: [PATCH] [Web] escape html of alert messages --- data/web/inc/footer.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php index 8c50c9c15..ac1bff033 100644 --- a/data/web/inc/footer.inc.php +++ b/data/web/inc/footer.inc.php @@ -12,7 +12,8 @@ $alertbox_log_parser = alertbox_log_parser($_SESSION); $alerts = []; if (is_array($alertbox_log_parser)) { foreach ($alertbox_log_parser as $log) { - $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '
']); + $message = htmlspecialchars($log['msg'], ENT_QUOTES); + $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '
']); $alerts[trim($log['type'], '"')][] = trim($message, '"'); } $alert = array_filter(array_unique($alerts));