items/inc/edit-2.php is reading the xml file by using unfiltered values from_GET

Question

Opened this issue 12 years ago · 1 comments

$id = @$_GET['edit'];
$file = ITEMDATA . $id . '.xml';
$data_edit = @getXML($file);

there should probably be a file containing the list of all items and the values from _GET should validated against it.

Answer 1 · 2012-12-31T21:23:05.000Z

data/other/item_manager.xml would be a good place for such a list...