Patching minor XSS vulnerability

The update output shows the name of the current commit your local installation is on. So if a commit is named <script>alert("xss");</script>, for example, that code will execute when someone updates their installation.

Not a huge deal since we'd notice if someone made a rogue pull request with any commit names like that before ever accepting it into the repo.
This commit is contained in:
ehpersonal38
2023-03-07 18:53:58 -05:00
parent ae1e3bf96f
commit e799b7154a
+2 -1
View File
@@ -353,7 +353,8 @@ if(isset($_GET['view'])){
$output = implode("\n", $lines);
$results = $output;
// remove script tags (xss)
$results = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $results);
if(strlen($results) == 0) {
$results = "This command has no output.";
}