From be0778ab84372d64d05f9ad951ce1f4b1ac602a7 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Fri, 4 Feb 2022 16:55:45 -0500
Subject: [PATCH] Strip slashes on user agent and ip to prevent user header
 modification for XSS attack in API logging

---
 api.php                     | 4 ++--
 api/v1/validate_api_key.php | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/api.php b/api.php
index 098c6c60..5a78eb6d 100644
--- a/api.php
+++ b/api.php
@@ -4,9 +4,9 @@ include("functions.php");
 include("config.php");
 
 // Get user IP
-$ip = mysqli_real_escape_string($mysqli,get_ip());
+$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
 // Get user agent
-$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']);
+$user_agent = stip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
 
 // Check API key is provided in GET request as 'api_key'
 if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) {
diff --git a/api/v1/validate_api_key.php b/api/v1/validate_api_key.php
index 16d3af63..01695ae8 100644
--- a/api/v1/validate_api_key.php
+++ b/api/v1/validate_api_key.php
@@ -7,9 +7,9 @@ include(__DIR__ . "../../../config.php");
 header('Content-Type: application/json');
 
 // Get user IP
-$ip = mysqli_real_escape_string($mysqli,get_ip());
+$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
 // Get user agent
-$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']);
+$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
 
 // Setup return array
 $return_arr = array();