Merge pull request #537 from sebastian-meyer/fix-xss-issue

Fix XSS issue
This commit is contained in:
Sebastian Meyer 2020-07-30 09:32:47 +02:00 committed by GitHub
commit b028292576
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 4 additions and 4 deletions

View File

@ -11,7 +11,7 @@ conf.py:
copyright: 2017
project: Kitodo.Presentation
version: 2.3
release: 2.3.0
release: 2.3.1
intersphinx_mapping:
t3tsref:
- http://docs.typo3.org/typo3cms/TyposcriptReference/

View File

@ -21,7 +21,7 @@ $EM_CONF[$_EXTKEY] = array (
'uploadfolder' => TRUE,
'createDirs' => '',
'clearCacheOnLoad' => FALSE,
'version' => '2.3.0',
'version' => '2.3.1',
'constraints' => array (
'depends' => array (
'php' => '7.0.0-',

View File

@ -365,7 +365,7 @@ class tx_dlf_listview extends tx_dlf_plugin {
if ($piVar != 'order' && $piVar != 'DATA' && !empty($value)) {
$sorting .= '<input type="hidden" name="'.$this->prefixId.'['.$piVar.']" value="'.htmlspecialchars($value).'" />';
$sorting .= '<input type="hidden" name="'.$this->prefixId.'['.preg_replace('/[^A-Za-z0-9_-]/', '', $piVar).']" value="'.htmlspecialchars($value).'" />';
}

View File

@ -75,7 +75,7 @@ class tx_dlf_navigation extends tx_dlf_plugin {
if ($piVar != 'page' && $piVars != 'DATA' && !empty($value)) {
$output .= '<input type="hidden" name="'.$this->prefixId.'['.$piVar.']" value="'.htmlspecialchars($value).'" />';
$output .= '<input type="hidden" name="'.$this->prefixId.'['.preg_replace('/[^A-Za-z0-9_-]/', '', $piVar).']" value="'.htmlspecialchars($value).'" />';
}