hoo2/InformationSystemsSecurity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS by applying context-aware encoding

Browse Source
This commit is contained in:
Christos Choutouridis 2026-01-11 15:40:59 +02:00
parent 34898059d9
commit 3bdb2b0a6a
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
passman-dev/php/passman/notes.php
View File

@ -73,12 +73,17 @@ echo "<h3>List of notes/comments</h3>";
if (!empty($result) && $result->num_rows >= 1) { if (!empty($result) && $result->num_rows >= 1) {
while ($row = $result -> fetch_assoc()) { while ($row = $result -> fetch_assoc()) {
// Escape output to prevent stored XSS (DB content must be treated as untrusted).
$safe_note = htmlspecialchars($row["note"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
$safe_user = htmlspecialchars($row["username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
echo "<div class='note'>"; echo "<div class='note'>";
echo "<div class='note-content'>" . $row["note"] . "</div>"; echo "<div class='note-content'>" . $safe_note . "</div>";
echo "<div class='note-signature'> by " . $row["username"] . "</div>"; echo "<div class='note-signature'> by " . $safe_user . "</div>";
echo "</div>"; echo "</div>";
} }
// Free result set // Free result set
$result -> free_result(); $result -> free_result();
} else { } else {