Merge branch 'issue/xss-agent-directory' into release/v1.10.2

* issue/xss-agent-directory: xss: Prevent Agent Directory XSS

Merge branch 'issue/xss-agent-directory' into release/v1.10.2
* issue/xss-agent-directory: xss: Prevent Agent Directory XSS
38bf5167 · JediKev · be0133b0 · 36651b91 · 38bf5167
Commit 38bf5167 authored 7 years ago by JediKev
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -5,6 +5,10 @@ $qs = array();
 $agents = Staff::objects()
    ->select_related('dept');

+// Sanitize 'order' param To Escape XSS
+if ($_REQUEST['order'])
+    $_REQUEST['order'] = Format::sanitize($_REQUEST['order']);
+
 if($_REQUEST['q']) {
    $searchTerm=$_REQUEST['q'];
    if($searchTerm){