creatures.php / monsters.php XSS
Closed this issue · 1 comments
gesior commented
Description:
You can execute JS code sent in URL.
Steps To Reproduce:
Visit acc. maker with URL ?subtopic=creatures&creature=<script>alert()</script>
It shows JS alert. It should not.
Replace:
- master: https://github.com/slawkens/myaac/blob/master/system/pages/creatures.php#L160
- develop: https://github.com/slawkens/myaac/blob/develop/system/pages/monsters.php#L82
with:
echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
slawkens commented
Thanks!