From c30796444387d9ba259ad95c55c2cf47ac0be0c8 Mon Sep 17 00:00:00 2001
From: ubergeek <ubergeek@noreply.tildegit.org>
Date: Fri, 7 Apr 2023 17:23:46 +0000
Subject: [PATCH] fixed XSS vulnerability

---
 wiki.php | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/wiki.php b/wiki.php
index 546659b..f6bd7e6 100644
--- a/wiki.php
+++ b/wiki.php
@@ -14,17 +14,30 @@ $style = $_GET['style'];
 $Parsedown = new Parsedown();
 $Parsedown->setSafeMode(true);
 
+$page = htmlentities($page);
+$style = htmlentities($style);
+
+
 if ( $page == "") {
-	$page = "main";
-	}
+        $page = "main";
+}
+
+if (!file_exists("$doc_root/articles/$page.md")) {
+        $page = "main";
+}
 
 if ( $style == "") {
-	if ( $site_style == "") {
-		$site_style="site";
-	}
+        if ( $site_style == "") {
+                $site_style="site";
+        }
 }
 else {
-	$site_style=$style;
+        if (file_exists("$doc_root/includes/$style.md")) {
+                $site_style=$style;
+        }
+        else {
+                $site_style="site";
+        }
 }
 
 $header  = file_get_contents("$doc_root/includes/header.md");