From 75a9c288070d10ab0ef8de169b5befe0846f1e10 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Wed, 10 Oct 2007 07:30:59 +0000
Subject: fixed bug #1810629 XSS in setup.php

---
 scripts/setup.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'scripts')

diff --git a/scripts/setup.php b/scripts/setup.php
index 4fe4971544..ee723523d4 100644
--- a/scripts/setup.php
+++ b/scripts/setup.php
@@ -1951,7 +1951,10 @@ switch ($action) {
             if (empty($_SERVER['REQUEST_URI']) || empty($_SERVER['HTTP_HOST'])) {
                 $redir = '';
             } else {
-                $redir = ' If your server is also configured to accept HTTPS request follow <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">this link</a> to use secure connection.';
+                $redir = ' If your server is also configured to accept HTTPS request'
+                    . ' follow <a href="https://'
+                    . htmlspecialchars($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
+                    . '">this link</a> to use secure connection.';
             }
             message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
         }
-- 
cgit v1.2.3