From bcd58e885461bd97357d20efcd752135f3f4af2a Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Thu, 14 Sep 2017 05:16:52 +0000
Subject: [PATCH] Form data XSS

Encode html entities of cached form data
---
 include/ajax.forms.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index 77b4638bf..70c57e15b 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -21,7 +21,8 @@ class DynamicFormsAjaxAPI extends AjaxController {
         if ($_GET || isset($_SESSION[':form-data'])) {
             if (!is_array($_SESSION[':form-data']))
                 $_SESSION[':form-data'] = array();
-            $_SESSION[':form-data'] = array_merge($_SESSION[':form-data'], $_GET);
+            $_SESSION[':form-data'] = array_merge($_SESSION[':form-data'],
+                    Format::htmlchars($_GET));
         }
 
         foreach ($topic->getForms() as $form) {
-- 
GitLab