From 053075533292b3cca26aed582e504c8f7fa8c7cc Mon Sep 17 00:00:00 2001 From: Philipp Date: Wed, 11 Jan 2023 23:09:40 +0100 Subject: [PATCH] Security: Use htmlspecialchars() for user input in Arguments class --- src/App/Page.php | 7 +++++++ view/theme/frio/php/default.php | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/App/Page.php b/src/App/Page.php index 3c746ebccb..a91d400ee8 100644 --- a/src/App/Page.php +++ b/src/App/Page.php @@ -73,6 +73,8 @@ class Page implements ArrayAccess 'right_aside' => '', 'template' => '', 'title' => '', + 'section' => '', + 'module' => '', ]; /** * @var string The basepath of the page @@ -513,6 +515,11 @@ class Page implements ArrayAccess $page = $this->page; + // add and escape some common but crucial content for direct "echo" in HTML (security) + $page['title'] = htmlspecialchars($page['title'] ?? ''); + $page['section'] = htmlspecialchars($args->get(0) ?? 'generic'); + $page['module'] = htmlspecialchars($args->getModuleName() ?? ''); + header("X-Friendica-Version: " . App::VERSION); header("Content-type: text/html; charset=utf-8"); diff --git a/view/theme/frio/php/default.php b/view/theme/frio/php/default.php index 336b529935..c6092393bd 100644 --- a/view/theme/frio/php/default.php +++ b/view/theme/frio/php/default.php @@ -77,7 +77,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser"; ?> - "> + "> t('Skip to main content'); ?>
'; if (!empty($page['content'])) { echo $page['content'];