filter.php: Escape filter query term value to avoid XSS. Fixes #2462

2019-02-09 15:35:55 -08:00 · 2019-02-09 15:35:55 -08:00 · bb75dad091
parent dd37808ef7
commit bb75dad091
1 changed files with 2 additions and 2 deletions
--- a/web/skins/classic/views/filter.php
+++ b/web/skins/classic/views/filter.php
@ -281,13 +281,13 @@ for ( $i=0; $i < count($terms); $i++ ) {
    } else {
 ?>
              <td><?php echo htmlSelect("filter[Query][terms][$i][op]", $opTypes, $term['op']); ?></td>
-              <td><input type="text" name="filter[Query][terms][<?php echo $i ?>][val]" value="<?php echo $term['val'] ?>"/></td>
+              <td><input type="text" name="filter[Query][terms][<?php echo $i ?>][val]" value="<?php echo validHtmlStr($term['val']) ?>"/></td>
 <?php
    }
  } else {
 ?>
              <td><?php echo htmlSelect("filter[Query][terms][$i][op]", $opTypes, $term['op']); ?></td>
-              <td><input type="text" name="filter[Query][terms][<?php echo $i ?>][val]" value="<?php echo isset($term['val'])?$term['val']:'' ?>"/></td>
+              <td><input type="text" name="filter[Query][terms][<?php echo $i ?>][val]" value="<?php echo isset($term['val'])?validHtmlStr($term['val']):'' ?>"/></td>
 <?php
  }
 ?>