search

rathena / FluxCP

A web-based Control Panel for rAthena servers written in PHP. Manage player accounts, databases, support tickets, etc via your browser.
GNU Lesser General Public License v3.0
180 stars 214 forks source link

Fixing xss vulnerability on servicedesk tickets #347

Closed 0xlemas closed 1 year ago

0xlemas commented 1 year ago

This pull request fixes an XSS vulnerability in the project's code. The vulnerability was allowing malicious code to be injected into a page and executed in the user's browser, potentially stealing their cookies and accessing administrator accounts.

To fix this vulnerability, it was identified that the addslashes() method in PHP was not working correctly. It was changed to the htmlentities() method to ensure that the code is protected from XSS attacks.

Changes proposed in this Pull Request:

Akkarinage commented 1 year ago

Updated to include a fix for the input rather than just the output.

Test and confirm please.

0xlemas commented 1 year ago

Good! Very well observed! I noticed that there was a small problem with rendering special characters in the subject field. This commit should be fixing that conversion.