hoo2/InformationSystemsSecurity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS by applying context-aware encoding

Browse Source
This commit is contained in:
Christos Choutouridis 2026-01-11 15:40:59 +02:00
parent 34898059d9
commit 3bdb2b0a6a
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
passman-dev/php/passman/notes.php
View File

@ -72,12 +72,17 @@ $result = $conn->query($sql_query);
echo "<h3>List of notes/comments</h3>"; echo "<h3>List of notes/comments</h3>";
if (!empty($result) && $result->num_rows >= 1) { if (!empty($result) && $result->num_rows >= 1) {
while ($row = $result -> fetch_assoc()) { while ($row = $result -> fetch_assoc()) {
echo "<div class='note'>"; // Escape output to prevent stored XSS (DB content must be treated as untrusted).
echo "<div class='note-content'>" . $row["note"] . "</div>"; $safe_note = htmlspecialchars($row["note"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
echo "<div class='note-signature'> by " . $row["username"] . "</div>"; $safe_user = htmlspecialchars($row["username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
echo "</div>";
} echo "<div class='note'>";
echo "<div class='note-content'>" . $safe_note . "</div>";
echo "<div class='note-signature'> by " . $safe_user . "</div>";
echo "</div>";
}
// Free result set // Free result set
$result -> free_result(); $result -> free_result();