Commit 8fc99d0c authored by Colonel's avatar Colonel
Browse files

fix xss

parent 333009ea
......@@ -106,10 +106,9 @@ if ( $_REQUEST["action"] == "area_html" )
$ty = intval($_REQUEST['y']);
if ( isset($_REQUEST["highlight"]) )
echo "<div style=\"position:relative;\"><img src=\"?action=area_image&amp;x=$tx&amp;y=$ty&amp;highlight=".$_REQUEST["highlight"]."\" style=\"position:absolute;top:0px;left:0px;\" />";
echo "<div style=\"position:relative;\"><img src=\"?action=area_image&amp;x=$tx&amp;y=$ty&amp;highlight=".htmlspecialchars($_REQUEST["highlight"])."\" style=\"position:absolute;top:0px;left:0px;\" />";
else
// echo "<div style=\"position:relative;\"><img src=\"?action=area_image&amp;x=$tx&amp;y=$ty\" style=\"position:absolute;top:0px;left:0px;\" />";
echo "<div style=\"position:relative;\"><img src=\"?action=area_image&amp;x=$tx&amp;y=$ty\" style=\"position:absolute;top:0px;left:0px;\" />";
$x1 = $tx;
$y1 = $ty;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment