Remove some tags there and here some more output formatting all thanks to the great security researcher @indevi0us for pointing these out to us.

2026-02-28 10:54:52 +00:00 · 2022-12-21 21:31:51 -05:00
parent 9036fe6853
commit 2a16b6d2ae
45 changed files with 150 additions and 150 deletions
--- a/notifications_dismissed.php
+++ b/notifications_dismissed.php
@@ -2,7 +2,7 @@

 //Column Filter
 if(!empty($_GET['sb'])){
-  $sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
+  $sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
 }else{
  $sb = "notification_timestamp";
 }
@@ -15,8 +15,8 @@ if(!isset($_GET['o'])){

 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
-  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
+  $dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
+  $dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
 }else{
  $dtf = "0000-00-00";
  $dtt = "9999-00-00";
@@ -44,7 +44,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
      <div class="row">
        <div class="col-sm-4">
          <div class="input-group">
-            <input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Dismissed Notifications">
+            <input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Dismissed Notifications">
            <div class="input-group-append">
              <button class="btn btn-primary"><i class="fa fa-search"></i></button>
            </div>
@@ -59,13 +59,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
          <div class="col-md-2">
            <div class="form-group">
              <label>Date From</label>
-              <input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
+              <input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
            </div>
          </div>
          <div class="col-md-2">
            <div class="form-group">
              <label>Date To</label>
-              <input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
+              <input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
            </div>
          </div>
        </div>