msphn requested changes on this pull request.
> @@ -16,17 +16,20 @@
if (file_exists(CONTENTPATH . $_GET['site'] . '.html'))
{
define('CONTENTFILE', CONTENTPATH . $_GET['site'] . '.html');
+ define('PAGETITLE', $_GET['site']);
that's an easy XSS vul! you need to validate it before assigning it
> @@ -37,7 +40,7 @@
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en">
<head>
- <title>Plugins for Geany</title>
+ <title>Plugins for Geany [<?php print PAGETITLE ?>]</title>
here you just throw it out without escaping it, watch htmlspecialchars and so
on
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/geany/plugins.geany.org/pull/13#pullrequestreview-124188019
