Fix a possible XSS issue on public pages.
This commit is contained in:
parent
888e110c5d
commit
1182a8dbdf
|
@ -22,7 +22,7 @@ release channel, you can take advantage of these new features and fixes.
|
|||
identifier; if you're calling the API externally, you should _always_ use a generated API key and not count on the
|
||||
user's existing session.
|
||||
|
||||
-
|
||||
- A minor cross-site scripting (XSS) vulnerability on public pages has been resolved.
|
||||
|
||||
---
|
||||
|
||||
|
|
|
@ -17,6 +17,7 @@ class Customization
|
|||
public const THEME_BROWSER = 'browser';
|
||||
public const THEME_LIGHT = 'light';
|
||||
public const THEME_DARK = 'dark';
|
||||
public const THEMES = [self::THEME_BROWSER, self::THEME_LIGHT, self::THEME_DARK];
|
||||
|
||||
protected ?Entity\User $user = null;
|
||||
|
||||
|
@ -45,7 +46,7 @@ class Customization
|
|||
// Register current theme
|
||||
$queryParams = $request->getQueryParams();
|
||||
|
||||
if (!empty($queryParams['theme'])) {
|
||||
if (!empty($queryParams['theme']) && in_array($queryParams['theme'], self::THEMES, true)) {
|
||||
$this->publicTheme = $this->theme = $queryParams['theme'];
|
||||
} else {
|
||||
$this->publicTheme = $this->settings->getPublicTheme() ?? $this->publicTheme;
|
||||
|
|
Loading…
Reference in New Issue