Merge pull request #3960 from protich/issue/xss-forms

xss: Cached forms data

Merge pull request #3960 from protich/issue/xss-forms
1f8df249 · Peter Rotich · GitHub · ebe19531 · bcd58e88 · 1f8df249
Commit 1f8df249 authored 7 years ago by Peter Rotich Committed by GitHub 7 years ago
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -21,7 +21,8 @@ class DynamicFormsAjaxAPI extends AjaxController {
        if ($_GET || isset($_SESSION[':form-data'])) {
            if (!is_array($_SESSION[':form-data']))
                $_SESSION[':form-data'] = array();
-            $_SESSION[':form-data'] = array_merge($_SESSION[':form-data'], $_GET);
+            $_SESSION[':form-data'] = array_merge($_SESSION[':form-data'],
+                    Format::htmlchars($_GET));
        }
        foreach ($topic->getForms() as $form) {