diff options
| author | mattab <matthieu.aubry@gmail.com> | 2015-02-27 06:51:21 +0300 |
|---|---|---|
| committer | mattab <matthieu.aubry@gmail.com> | 2015-02-27 06:51:21 +0300 |
| commit | 5d8aaa74a76d21ff530e2fe71afada2215dfe226 (patch) | |
| tree | d01e8ad5fa61ae43af93c80d003d923a8b790143 /core/Common.php | |
| parent | 282f8830d7bf9915f9006f2e02782a250813e17d (diff) | |
In Tracker debug mode, enforce text/plain content type to minimise risk of XSS while debugging
Diffstat (limited to 'core/Common.php')
| -rw-r--r-- | core/Common.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/core/Common.php b/core/Common.php index 35db6692ce..7e3bcbc7af 100644 --- a/core/Common.php +++ b/core/Common.php @@ -1280,6 +1280,11 @@ class Common { if (isset($GLOBALS['PIWIK_TRACKER_DEBUG']) && $GLOBALS['PIWIK_TRACKER_DEBUG']) { + if(!headers_sent()) { + // prevent XSS in tracker debug output + header('Content-type: text/plain'); + } + if (is_object($info)) { $info = var_export($info, true); } @@ -1292,7 +1297,7 @@ class Common } } else { foreach (explode("\n", $info) as $line) { - echo htmlspecialchars($line, ENT_QUOTES) . "\n"; + echo $line . "\n"; } } } |