Closed alexpandele closed 8 years ago
Oops, that must be fixed. Should we also consider setting up a content security policy->http://www.html5rocks.com/en/tutorials/security/content-security-policy/? @rimas-kudelis
The patch looks good, although I haven't tested. CSP is a separate issue that can be tackled in another bug/PR.
I just checked that error messages are still shown but not all combinations. Looks good for me as well. CSP will be a new PR.
The $_GET variables are echoed unmodified which represents a XSS risk. All the pages that require config/header.php are vulnerable.