xss: Prevent Agent Directory XSS

This addresses a vulnerability where an Agent can perform XSS via the Agent Directory’s REQUEST query string. This sanitizes the request params so the code will be escaped and not executed in the browser.

xss: Prevent Agent Directory XSS
This addresses a vulnerability where an Agent can perform XSS via the Agent Directory’s REQUEST query string. This sanitizes the request params so the code will be escaped and not executed in the browser.
36651b91 · JediKev · c4669d77 · 36651b91
Commit 36651b91 authored 7 years ago by JediKev
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -5,6 +5,10 @@ $qs = array();
 $agents = Staff::objects()
    ->select_related('dept');

+// Sanitize 'order' param To Escape XSS
+if ($_REQUEST['order'])
+    $_REQUEST['order'] = Format::sanitize($_REQUEST['order']);
+
 if($_REQUEST['q']) {
    $searchTerm=$_REQUEST['q'];
    if($searchTerm){