Add request parameter filtering to avoid XSS attacks

technicalguru · technicalguru · commit eca361d3a350 · 2023-01-28T15:44:21.000Z
diff --git a/src/WebApp/Layout.php b/src/WebApp/Layout.php
@@ -61,7 +61,7 @@ protected function renderMeta() {
 		if (!isset($meta['viewport']))  $meta['viewport']  = 'width=device-width, initial-scale=1, shrink-to-fit=no';
 		if (!isset($meta['pageclass'])) $meta['pageclass'] = get_class($this->page);
 		if (!isset($meta['canonical'])) {
-			$params = $this->app->request->params ? '?'.$this->app->request->params : '';
+			$params = $this->app->request->params ? '?'.\TgUtils\StringFilters::$NO_HTML->filter($this->app->request->params) : '';
 			$meta['canonical'] = $this->app->router->getCanonicalPath().$params;
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ protected function renderMeta() {`
`61`	`61`	`if (!isset($meta['viewport'])) $meta['viewport'] = 'width=device-width, initial-scale=1, shrink-to-fit=no';`
`62`	`62`	`if (!isset($meta['pageclass'])) $meta['pageclass'] = get_class($this->page);`
`63`	`63`	`if (!isset($meta['canonical'])) {`
`64`		`- $params = $this->app->request->params ? '?'.$this->app->request->params : '';`
	`64`	`+ $params = $this->app->request->params ? '?'.\TgUtils\StringFilters::$NO_HTML->filter($this->app->request->params) : '';`
`65`	`65`	`$meta['canonical'] = $this->app->router->getCanonicalPath().$params;`
`66`	`66`	`}`
`67`	`67`