Autocomplete: Escape HTML tags in callback name to avoid XSS in demo

author Scott González <scott.gonzalez@gmail.com>

Thu, 22 Sep 2016 11:53:22 +0000 (07:53 -0400)

committer Scott González <scott.gonzalez@gmail.com>

Thu, 22 Sep 2016 11:53:22 +0000 (07:53 -0400)
author Scott González <scott.gonzalez@gmail.com>
Thu, 22 Sep 2016 11:53:22 +0000 (07:53 -0400)
committer Scott González <scott.gonzalez@gmail.com>
Thu, 22 Sep 2016 11:53:22 +0000 (07:53 -0400)
diff --git a/demos/autocomplete/search.php b/demos/autocomplete/search.php

index 489b30c1e314eaaf520262faf2eb2f9a104da18e..6ab404ccbd034dafa433342ddc561c0193af4e7f 100644 (file)
--- a/demos/autocomplete/search.php
+++ b/demos/autocomplete/search.php
@@ -586,7 +586,10 @@ foreach ($items as $key=>$value) {
  $output = json_encode($result);
  
  if ($_GET["callback"]) {
-       $output = $_GET["callback"] . "($output);";
+       // Escape special characters to avoid XSS attacks via direct loads of this
+       // page with a callback that contains HTML. This is a lot easier than validating
+       // the callback name.
+       $output = htmlspecialchars($_GET["callback"]) . "($output);";
  }
  
  echo $output;
author	Scott González <scott.gonzalez@gmail.com>
	Thu, 22 Sep 2016 11:53:22 +0000 (07:53 -0400)
committer	Scott González <scott.gonzalez@gmail.com>
	Thu, 22 Sep 2016 11:53:22 +0000 (07:53 -0400)