Autocomplete: Escape HTML tags in callback name to avoid XSS in demo

Fixes #15048
2024-11-21 11:04:24 +00:00 · 2016-09-22 07:53:22 -04:00 · 2016-09-22 07:53:22 -04:00 · 69e66ea655
commit 69e66ea655
parent c571d2f234
1 changed files with 4 additions and 1 deletions
--- a/demos/autocomplete/search.php
+++ b/demos/autocomplete/search.php
@ -586,7 +586,10 @@ foreach ($items as $key=>$value) {
 $output = json_encode($result);

 if ($_GET["callback"]) {
-	$output = $_GET["callback"] . "($output);";
+	// Escape special characters to avoid XSS attacks via direct loads of this
+	// page with a callback that contains HTML. This is a lot easier than validating
+	// the callback name.
+	$output = htmlspecialchars($_GET["callback"]) . "($output);";
 }

 echo $output;