From e799b7154af1cd221eb3c5a124bf26c48292c357 Mon Sep 17 00:00:00 2001
From: ehpersonal38 <103586016+ehpersonal38@users.noreply.github.com>
Date: Tue, 7 Mar 2023 18:53:58 -0500
Subject: [PATCH] Patching minor XSS vulnerability
The update output shows the name of the current commit your local installation is on. So if a commit is named , for example, that code will execute when someone updates their installation.
Not a huge deal since we'd notice if someone made a rogue pull request with any commit names like that before ever accepting it into the repo.
---
homepage/views.php | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/homepage/views.php b/homepage/views.php
index be4e0e5..96db5f7 100644
--- a/homepage/views.php
+++ b/homepage/views.php
@@ -353,7 +353,8 @@ if(isset($_GET['view'])){
$output = implode("\n", $lines);
$results = $output;
-
+ // remove script tags (xss)
+ $results = preg_replace('##is', '', $results);
if(strlen($results) == 0) {
$results = "This command has no output.";
}