From cb925073edeeb97eb4ce61a86cdafccc9b87f9bb Mon Sep 17 00:00:00 2001
From: Mikael Falkvidd <mfalkvidd@op5.com>
Date: Fri, 13 Jun 2014 14:13:03 +0200
Subject: [PATCH] Plug potential XSS hole in views/template.php

REQUEST_URI needs to be sanitized if used. Since we want to refresh
to the same page there is no need to set the URI.

Signed-off-by: Mikael Falkvidd <mfalkvidd@op5.com>
---
 share/pnp/application/views/template.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/share/pnp/application/views/template.php b/share/pnp/application/views/template.php
index 109902f..0cce888 100644
--- a/share/pnp/application/views/template.php
+++ b/share/pnp/application/views/template.php
@@ -4,7 +4,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<meta http-equiv="refresh" content="<?php echo $this->config->conf['refresh'] ?>; url=<?php echo $_SERVER['REQUEST_URI'] ?>" />
+<meta http-equiv="refresh" content="<?php echo $this->config->conf['refresh'] ?>" />
 <title><?php if (isset($this->title)) echo html::specialchars($this->title) ?></title>
 <?php echo html::stylesheet('media/css/common.css') ?>
 <?php echo html::stylesheet('media/css/imgareaselect-default.css') ?>
-- 
1.9.3