From 69e66ea6556584c39621c184f8f790a1011408ce Mon Sep 17 00:00:00 2001 From: =?utf8?q?Scott=20Gonz=C3=A1lez?= Date: Thu, 22 Sep 2016 07:53:22 -0400 Subject: [PATCH] Autocomplete: Escape HTML tags in callback name to avoid XSS in demo Fixes #15048 --- demos/autocomplete/search.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/demos/autocomplete/search.php b/demos/autocomplete/search.php index 489b30c1e..6ab404ccb 100644 --- a/demos/autocomplete/search.php +++ b/demos/autocomplete/search.php @@ -586,7 +586,10 @@ foreach ($items as $key=>$value) { $output = json_encode($result); if ($_GET["callback"]) { - $output = $_GET["callback"] . "($output);"; + // Escape special characters to avoid XSS attacks via direct loads of this + // page with a callback that contains HTML. This is a lot easier than validating + // the callback name. + $output = htmlspecialchars($_GET["callback"]) . "($output);"; } echo $output; -- 2.39.5