hello i noticed in the /report route that the passphrase variable is being reflected to the front page without , and that allow an attacker to execute arbitrary js
if (! in_array($_POST['passphrase'], $auth_list)) {
$this->error('passphrase "'.$_POST['passphrase'].'" not accepted');
}
a simple htmlspecialchars($_POST['passphrase']); could do the job i guess
hello i noticed in the /report route that the
passphrase
variable is being reflected to the front page without , and that allow an attacker to execute arbitrary jsa simple
htmlspecialchars($_POST['passphrase']);
could do the job i guessGood day .