From e799b7154af1cd221eb3c5a124bf26c48292c357 Mon Sep 17 00:00:00 2001 From: ehpersonal38 <103586016+ehpersonal38@users.noreply.github.com> Date: Tue, 7 Mar 2023 18:53:58 -0500 Subject: [PATCH] Patching minor XSS vulnerability The update output shows the name of the current commit your local installation is on. So if a commit is named , for example, that code will execute when someone updates their installation. Not a huge deal since we'd notice if someone made a rogue pull request with any commit names like that before ever accepting it into the repo. --- homepage/views.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/homepage/views.php b/homepage/views.php index be4e0e5..96db5f7 100644 --- a/homepage/views.php +++ b/homepage/views.php @@ -353,7 +353,8 @@ if(isset($_GET['view'])){ $output = implode("\n", $lines); $results = $output; - + // remove script tags (xss) + $results = preg_replace('#(.*?)#is', '', $results); if(strlen($results) == 0) { $results = "This command has no output."; }