From 4de5618dc45b3dc044fb009e3aed0f114cef781b Mon Sep 17 00:00:00 2001 From: ehpersonal38 <103586016+ehpersonal38@users.noreply.github.com> Date: Tue, 7 Mar 2023 18:53:58 -0500 Subject: [PATCH] Patching minor XSS vulnerability The update output shows the name of the current commit your local installation is on. So if a commit is named , for example, that code will execute when someone updates their installation. Not a huge deal since we'd notice if someone made a rogue pull request with any commit names like that before ever accepting it into the repo. --- homepage/views.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/homepage/views.php b/homepage/views.php index be4e0e5..d637833 100644 --- a/homepage/views.php +++ b/homepage/views.php @@ -353,7 +353,7 @@ if(isset($_GET['view'])){ $output = implode("\n", $lines); $results = $output; - + $results = nl2br(htmlspecialchars($results)); if(strlen($results) == 0) { $results = "This command has no output."; }