diff options
| author | plegall <plg@piwigo.org> | 2012-09-18 12:09:45 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2012-09-18 12:09:45 +0000 |
| commit | a8fdff631d594d40f026899965a8f1bc12d718ca (patch) | |
| tree | f5c92700d1bd7f1fed8a73b88eaa7353d44db2fb /password.php | |
| parent | a1002f61fd0a9671ea1dd70f0ac3385db9cf6c16 (diff) | |
merge r17983 from branch 2.4 to trunk
bug 2750 fixed: HTML-sanitize $_POST['username_or_email'] before display (both
username and email don't allow HTML tags...)
Original report by Stefan Schurtz via Secunia SVCRP
git-svn-id: http://piwigo.org/svn/trunk@17984 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'password.php')
| -rw-r--r-- | password.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/password.php b/password.php index 58b8ece3a..0c4ecd05e 100644 --- a/password.php +++ b/password.php @@ -324,7 +324,7 @@ if ('lost' == $page['action']) if (isset($_POST['username_or_email'])) { - $template->assign('username_or_email', stripslashes($_POST['username_or_email'])); + $template->assign('username_or_email', stripslashes(strip_tags($_POST['username_or_email']))); } } |