From e579d4785c9b21ec8dd461a5b1ee2ca6dce91712 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 16 Jun 2014 16:35:55 -0500
Subject: [PATCH] Fix several XSS vulnerabilities

In both the client and staff interfaces, where the URL and request
parameters were echo'd back without any escaping
---
 include/client/pwreset.login.php   | 2 +-
 include/client/register.inc.php    | 4 ++--
 include/staff/dynamic-list.inc.php | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/client/pwreset.login.php b/include/client/pwreset.login.php
index a1c1ed4e7..c2bc7e399 100644
--- a/include/client/pwreset.login.php
+++ b/include/client/pwreset.login.php
@@ -12,7 +12,7 @@ Enter your username or email address again in the form below and press the
     <div style="width:50%;display:inline-block">
     <?php csrf_token(); ?>
     <input type="hidden" name="do" value="reset"/>
-    <input type="hidden" name="token" value="<?php echo $_REQUEST['token']; ?>"/>
+    <input type="hidden" name="token" value="<?php echo Format::htmlchars($_REQUEST['token']); ?>"/>
     <strong><?php echo Format::htmlchars($banner); ?></strong>
     <br>
     <div>
diff --git a/include/client/register.inc.php b/include/client/register.inc.php
index 0a5676781..9c86407a1 100644
--- a/include/client/register.inc.php
+++ b/include/client/register.inc.php
@@ -22,8 +22,8 @@ your account
 </p>
 <form action="account.php" method="post">
   <?php csrf_token(); ?>
-  <input type="hidden" name="do" value="<?php echo $_REQUEST['do']
-    ?: ($info['backend'] ? 'import' :'create'); ?>" />
+  <input type="hidden" name="do" value="<?php echo Format::htmlchars($_REQUEST['do']
+    ?: ($info['backend'] ? 'import' :'create')); ?>" />
 <table width="800" class="padded">
 <tbody>
 <?php
diff --git a/include/staff/dynamic-list.inc.php b/include/staff/dynamic-list.inc.php
index a064dc935..32b8921e0 100644
--- a/include/staff/dynamic-list.inc.php
+++ b/include/staff/dynamic-list.inc.php
@@ -19,7 +19,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
 <form action="?" method="post" id="save">
     <?php csrf_token(); ?>
     <input type="hidden" name="do" value="<?php echo $action; ?>">
-    <input type="hidden" name="a" value="<?php echo $_REQUEST['a']; ?>">
+    <input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
     <input type="hidden" name="id" value="<?php echo $info['id']; ?>">
     <h2>Custom List</h2>
 
-- 
GitLab