[security] Fix cross-site scripting issue with the theme parameter

3liz · Jun 17, 2024 · 98c58bb · 98c58bb
1 parent ee7fceb
commit 98c58bb
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/lizmap/modules/view/controllers/default.classic.php b/lizmap/modules/view/controllers/default.classic.php
@@ -3,7 +3,7 @@
  * Displays a list of project for a given repository.
  *
  * @author    3liz
- * @copyright 2012-2023 3liz
+ * @copyright 2012-2024 3liz
  *
  * @see      http://3liz.com
  *
@@ -20,8 +20,9 @@ class defaultCtrl extends jController
      */
     public function index()
     {
-        if ($this->param('theme')) {
-            jApp::config()->theme = $this->param('theme');
+        $theme = $this->param('theme');
+        if ($theme && preg_match('/^[a-zA-Z0-9\-_]+$/', $theme)) {
+            jApp::config()->theme = $theme;
         }
 
         /** @var jResponseHtml $rep */

diff --git a/lizmap/modules/view/controllers/lizMap.classic.php b/lizmap/modules/view/controllers/lizMap.classic.php
@@ -37,10 +37,10 @@ class lizMapCtrl extends jController
      */
     public function index()
     {
-        if ($this->param('theme')) {
-            jApp::config()->theme = $this->param('theme');
+        $theme = $this->param('theme');
+        if ($theme && preg_match('/^[a-zA-Z0-9\-_]+$/', $theme)) {
+            jApp::config()->theme = $theme;
         }
-        $ok = true;
 
         // Get the project
         $project = htmlspecialchars(strip_tags($this->param('project')));