Unverified Commit 26e27e6b authored byBrowse files
Fix XSS in all messages using the pod's name.
This commit fixes a Persistent XSS. The problem was that at no point the output was sanitized, allowing each pod to control the column 'name' in the database. Since this can be set to anything one wants it can be malicious. Using htmlentities(name, ENT_QUOTES) should be sufficient to ward this off.
Showing with 11 additions and 6 deletions