rixty
/
AzuraCast
mirror of https://github.com/AzuraCast/AzuraCast.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

Fix a possible XSS issue on public pages.

This commit is contained in:
Buster "Silver Eagle" Neece 2021-08-27 19:46:33 -05:00
parent 888e110c5d
commit 1182a8dbdf
No known key found for this signature in database
GPG Key ID: 6D9E12FF03411F4E
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -22,7 +22,7 @@ release channel, you can take advantage of these new features and fixes.
identifier; if you're calling the API externally, you should _always_ use a generated API key and not count on the
user's existing session.
-
- A minor cross-site scripting (XSS) vulnerability on public pages has been resolved.
---

3
src/Customization.php
View File

@ -17,6 +17,7 @@ class Customization
public const THEME_BROWSER = 'browser';
public const THEME_LIGHT = 'light';
public const THEME_DARK = 'dark';
public const THEMES = [self::THEME_BROWSER, self::THEME_LIGHT, self::THEME_DARK];
protected ?Entity\User $user = null;
@ -45,7 +46,7 @@ class Customization
// Register current theme
$queryParams = $request->getQueryParams();
if (!empty($queryParams['theme'])) {
if (!empty($queryParams['theme']) && in_array($queryParams['theme'], self::THEMES, true)) {
$this->publicTheme = $this->theme = $queryParams['theme'];
} else {
$this->publicTheme = $this->settings->getPublicTheme() ?? $this->publicTheme;