Merge pull request #4160 from JediKev/issue/xss-agent-directory

xss: Prevent Agent Directory XSS

Merge pull request #4160 from JediKev/issue/xss-agent-directory
xss: Prevent Agent Directory XSS
fb603a3f · Peter Rotich · GitHub · c222fad2 · 36651b91 · fb603a3f
Unverified Commit fb603a3f authored 6 years ago by Peter Rotich Committed by GitHub 6 years ago
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -5,6 +5,10 @@ $qs = array();
 $agents = Staff::objects()
    ->select_related('dept');

+// Sanitize 'order' param To Escape XSS
+if ($_REQUEST['order'])
+    $_REQUEST['order'] = Format::sanitize($_REQUEST['order']);
+
 if($_REQUEST['q']) {
    $searchTerm=$_REQUEST['q'];
    if($searchTerm){