From 88bedbdea4f9b5c0cf7659019588139bc3f75a8f Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 23 Mar 2015 10:21:44 -0500
Subject: [PATCH] xss: Fix possible XSS vuln in current sequence display

---
 include/ajax.sequence.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/ajax.sequence.php b/include/ajax.sequence.php
index 37be03269..299e8c322 100644
--- a/include/ajax.sequence.php
+++ b/include/ajax.sequence.php
@@ -33,7 +33,7 @@ class SequenceAjaxAPI extends AjaxController {
         elseif (!($sequence = Sequence::lookup($id)))
             Http::response(404, 'No such object');
 
-        return $sequence->current($_GET['format']);
+        return $sequence->current(Format::htmlchars($_GET['format']));
     }
 
     /**
-- 
GitLab