From cb925073edeeb97eb4ce61a86cdafccc9b87f9bb Mon Sep 17 00:00:00 2001

From: Mikael Falkvidd <mfalkvidd@op5.com>

Date: Fri, 13 Jun 2014 14:13:03 +0200

Subject: [PATCH] Plug potential XSS hole in views/template.php

REQUEST_URI needs to be sanitized if used. Since we want to refresh

to the same page there is no need to set the URI.

Signed-off-by: Mikael Falkvidd <mfalkvidd@op5.com>

---

 share/pnp/application/views/template.php | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/share/pnp/application/views/template.php b/share/pnp/application/views/template.php

index 109902f..0cce888 100644

--- a/share/pnp/application/views/template.php

+++ b/share/pnp/application/views/template.php

@@ -4,7 +4,7 @@

 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

 <head>

 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

-<meta http-equiv="refresh" content="<?php echo $this->config->conf['refresh'] ?>; url=<?php echo $_SERVER['REQUEST_URI'] ?>" />

+<meta http-equiv="refresh" content="<?php echo $this->config->conf['refresh'] ?>" />

 <title>title)) echo html::specialchars($this->title) ?></title>

-- 

1.9.3