fixed XSS vulnerability

2023-04-07 17:23:46 +00:00 · 2023-04-07 17:23:46 +00:00 · c307964443
parent 538d9a38e2
commit c307964443
1 changed files with 19 additions and 6 deletions
--- a/wiki.php
+++ b/wiki.php
@ -14,17 +14,30 @@ $style = $_GET['style'];
 $Parsedown = new Parsedown();
 $Parsedown->setSafeMode(true);

+$page = htmlentities($page);
+$style = htmlentities($style);
+
+
 if ( $page == "") {
-	$page = "main";
-	}
+        $page = "main";
+}
+
+if (!file_exists("$doc_root/articles/$page.md")) {
+        $page = "main";
+}

 if ( $style == "") {
-	if ( $site_style == "") {
-		$site_style="site";
-	}
+        if ( $site_style == "") {
+                $site_style="site";
+        }
 }
 else {
-	$site_style=$style;
+        if (file_exists("$doc_root/includes/$style.md")) {
+                $site_style=$style;
+        }
+        else {
+                $site_style="site";
+        }
 }

 $header  = file_get_contents("$doc_root/includes/header.md");