xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): escape reflected filter param in report/msg templates [#139] (#271)

Browse Source
This commit is contained in:
Ferywir
2026-06-23 16:59:00 +02:00
committed by GitHub
parent 749a55aaf5
commit 90c5cdd97c
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Admin/Templates/msg.tpl
+2 -2
View File
@@ -128,7 +128,7 @@ $msgs = $database->query("SELECT * FROM ".TB_PREFIX."mdata WHERE $where ORDER BY
</div>
<form class="search-box" method="get">
<input type="hidden" name="p" value="msg">
<input type="hidden" name="f" value="<?php echo $filter;?>">
<input type="hidden" name="f" value="<?php echo htmlspecialchars($filter);?>">
<input type="text" name="q" placeholder="Search..." value="<?php echo htmlspecialchars($search);?>">
</form>
</div>
@@ -162,7 +162,7 @@ $msgs = $database->query("SELECT * FROM ".TB_PREFIX."mdata WHERE $where ORDER BY
<?php if($total > $limit){ $pages = ceil($total/$limit);?>
<div class="pagination">
<?php for($p=1;$p<=$pages && $p<=15;$p++){?>
<a href="?p=msg&page=<?php echo $p;?>&f=<?php echo $filter;?>&q=<?php echo urlencode($search);?>" class="<?php echo $p==$page?'active':'';?>"><?php echo $p;?></a>
<a href="?p=msg&page=<?php echo $p;?>&f=<?php echo urlencode($filter);?>&q=<?php echo urlencode($search);?>" class="<?php echo $p==$page?'active':'';?>"><?php echo $p;?></a>
<?php }?>
</div>
<?php }?>
Admin/Templates/report.tpl
+2 -2
View File
@@ -102,7 +102,7 @@ $typeNames = [1=>'reinforcement',2=>'attack',3=>'defence',4=>'scout',5=>'trade',
</div>
<form class="search-box" method="get">
<input type="hidden" name="p" value="report">
<input type="hidden" name="f" value="<?php echo $filter;?>">
<input type="hidden" name="f" value="<?php echo htmlspecialchars($filter);?>">
<input type="text" name="q" placeholder="Search..." value="<?php echo htmlspecialchars($search);?>">
</form>
</div>
@@ -134,7 +134,7 @@ $typeNames = [1=>'reinforcement',2=>'attack',3=>'defence',4=>'scout',5=>'trade',
<?php if($total > $limit){ $pages = ceil($total/$limit);?>
<div class="pagination">
<?php for($p=1;$p<=$pages && $p<=15;$p++){?>
<a href="?p=report&page=<?php echo $p;?>&f=<?php echo $filter;?>&q=<?php echo urlencode($search);?>" class="<?php echo $p==$page?'active':'';?>"><?php echo $p;?></a>
<a href="?p=report&page=<?php echo $p;?>&f=<?php echo urlencode($filter);?>&q=<?php echo urlencode($search);?>" class="<?php echo $p==$page?'active':'';?>"><?php echo $p;?></a>
<?php }?>
</div>
<?php }?>