Headline
CVE-2023-0306: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@1815dae
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
@@ -28,6 +28,7 @@
use phpMyFAQ\Language;
use phpMyFAQ\LinkVerifier;
use phpMyFAQ\Search\SearchFactory;
use phpMyFAQ\Strings;
use phpMyFAQ\Visits;
if (!defined(‘IS_VALID_PHPMYFAQ’)) {
@@ -456,8 +457,9 @@ function verifyEntryURL_failure(XmlRequest)
</td>
<td>
<a href="?action=editentry&id=<?= $record[‘id’] ?>&lang=<?= $record[‘lang’] ?>"
title="<?= $PMF_LANG[‘ad_user_edit’] ?> '<?= str_replace('"’, '´’, $record[‘title’]) ?>’">
<?= $record[‘title’] ?>
title="<?= $PMF_LANG[‘ad_user_edit’] ?> '
<?= str_replace('"’, '´’, Strings::htmlentities($record[‘title’])) ?>’">
<?= Strings::htmlentities($record[‘title’]) ?>
</a>
<?php
if (isset($numCommentsByFaq[$record[‘id’]])) {