From 88bedbdea4f9b5c0cf7659019588139bc3f75a8f Mon Sep 17 00:00:00 2001 From: Jared Hancock <jared@osticket.com> Date: Mon, 23 Mar 2015 10:21:44 -0500 Subject: [PATCH] xss: Fix possible XSS vuln in current sequence display --- include/ajax.sequence.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/ajax.sequence.php b/include/ajax.sequence.php index 37be03269..299e8c322 100644 --- a/include/ajax.sequence.php +++ b/include/ajax.sequence.php @@ -33,7 +33,7 @@ class SequenceAjaxAPI extends AjaxController { elseif (!($sequence = Sequence::lookup($id))) Http::response(404, 'No such object'); - return $sequence->current($_GET['format']); + return $sequence->current(Format::htmlchars($_GET['format'])); } /** -- GitLab