From 98c58bb1d69ce22e193d9ba3d707bd4cfbd6a92d Mon Sep 17 00:00:00 2001 From: Laurent Jouanneau Date: Mon, 17 Jun 2024 15:59:39 +0200 Subject: [PATCH] [security] Fix cross-site scripting issue with the theme parameter --- lizmap/modules/view/controllers/default.classic.php | 7 ++++--- lizmap/modules/view/controllers/lizMap.classic.php | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/lizmap/modules/view/controllers/default.classic.php b/lizmap/modules/view/controllers/default.classic.php index b19e241ab4..51df937b1e 100644 --- a/lizmap/modules/view/controllers/default.classic.php +++ b/lizmap/modules/view/controllers/default.classic.php @@ -3,7 +3,7 @@ * Displays a list of project for a given repository. * * @author 3liz - * @copyright 2012-2023 3liz + * @copyright 2012-2024 3liz * * @see http://3liz.com * @@ -20,8 +20,9 @@ class defaultCtrl extends jController */ public function index() { - if ($this->param('theme')) { - jApp::config()->theme = $this->param('theme'); + $theme = $this->param('theme'); + if ($theme && preg_match('/^[a-zA-Z0-9\-_]+$/', $theme)) { + jApp::config()->theme = $theme; } /** @var jResponseHtml $rep */ diff --git a/lizmap/modules/view/controllers/lizMap.classic.php b/lizmap/modules/view/controllers/lizMap.classic.php index 52cabb5b1a..2e1eeed57c 100644 --- a/lizmap/modules/view/controllers/lizMap.classic.php +++ b/lizmap/modules/view/controllers/lizMap.classic.php @@ -37,10 +37,10 @@ class lizMapCtrl extends jController */ public function index() { - if ($this->param('theme')) { - jApp::config()->theme = $this->param('theme'); + $theme = $this->param('theme'); + if ($theme && preg_match('/^[a-zA-Z0-9\-_]+$/', $theme)) { + jApp::config()->theme = $theme; } - $ok = true; // Get the project $project = htmlspecialchars(strip_tags($this->param('project')));