Merge pull request #12 from MoritzHuppert/master

GaneshKandu · web-flow · commit 01aab62eb664 · 2022-02-06T23:14:18.000+05:30
prevention of xss in messages
diff --git a/box/core/kchat.php b/box/core/kchat.php
@@ -184,7 +184,7 @@ function msgencode($txt){
 }
 
 function msgdecode($txt){
-	return json_decode('"'.$txt.'"', 1);
+	return htmlspecialchars(json_decode('"'.$txt.'"', 1));
 }
 
 function isReq($id){
diff --git a/kchat/lib/global.php b/kchat/lib/global.php
@@ -217,7 +217,7 @@ function msgencode($data,$txt){
 }
 
 function msgdecode($data,$txt){
-	return json_decode('"'.$txt.'"', 1);
+	return htmlspecialchars(json_decode('"'.$txt.'"', 1));
 }
 
 function menu($data,$key,$value){

Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ function msgencode($txt){`
`184`	`184`	`}`
`185`	`185`
`186`	`186`	`function msgdecode($txt){`
`187`		`- return json_decode('"'.$txt.'"', 1);`
	`187`	`+ return htmlspecialchars(json_decode('"'.$txt.'"', 1));`
`188`	`188`	`}`
`189`	`189`
`190`	`190`	`function isReq($id){`
Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,7 @@ function msgencode($data,$txt){`
`217`	`217`	`}`
`218`	`218`
`219`	`219`	`function msgdecode($data,$txt){`
`220`		`- return json_decode('"'.$txt.'"', 1);`
	`220`	`+ return htmlspecialchars(json_decode('"'.$txt.'"', 1));`
`221`	`221`	`}`
`222`	`222`
`223`	`223`	`function menu($data,$key,$value){`