Fix XSS in error message (thanks to Sharif aka Vincent Pentester)

Mibew · Dec 25, 2020 · b8bad36 · b8bad36
1 parent 1c3d9c9
commit b8bad36
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/mibew/libs/classes/Mibew/Controller/ButtonCodeController.php b/src/mibew/libs/classes/Mibew/Controller/ButtonCodeController.php
@@ -51,7 +51,7 @@ public function generateAction(Request $request)
         $image_locales_map = $this->getImageLocalesMap(MIBEW_FS_ROOT . '/locales');
         $image = $request->query->get('i', 'mibew');
         if (!isset($image_locales_map[$image])) {
-            $page['errors'][] = 'Unknown image: ' . $image;
+            $page['errors'][] = 'Unknown image: ' . htmlspecialchars($image);
             $avail = array_keys($image_locales_map);
             $image = $avail[0];
         }