never allow {{ }} in user-input

froxlor · May 10, 2024 · 1a5680d · 1a5680d
1 parent c07ff16
commit 1a5680d
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/Froxlor/UI/Request.php b/lib/Froxlor/UI/Request.php
@@ -101,6 +101,9 @@ public static function cleanAll()
 			unset($value);
 
 			$antiXss = new AntiXSS();
+			$antiXss->addNeverAllowedRegex([
+				'{{(.*)}}' => ''
+			]);
 
 			// check $_GET
 			PhpHelper::cleanGlobal($_GET, $antiXss);