From 8ec14404d1ea316960e6c45971f2c05045bf6822 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Tue, 18 Sep 2012 12:07:54 +0000
Subject: bug 2750 fixed: HTML-sanitize $_POST['username_or_email'] before
 display (both username and email don't allow HTML tags...)

Original report by Stefan Schurtz via Secunia SVCRP


git-svn-id: http://piwigo.org/svn/branches/2.4@17983 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 password.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/password.php b/password.php
index 58b8ece3a..0c4ecd05e 100644
--- a/password.php
+++ b/password.php
@@ -324,7 +324,7 @@ if ('lost' == $page['action'])
 
   if (isset($_POST['username_or_email']))
   {
-    $template->assign('username_or_email', stripslashes($_POST['username_or_email']));
+    $template->assign('username_or_email', stripslashes(strip_tags($_POST['username_or_email'])));
   }
 }
 
-- 
cgit v1.2.3