Skip to content

Commit 4530bb0

Browse files
mehulmptmehulmpt
authored
Fixed possible XSS attack
https://oscarotero.com/embed2/demo/index.php?url=ftp://oscarotero.com/;<script>alert()</script> The JS would be (obviously) blocked on modern browser because it clearly triggers XSS auditors but CSS/HTML isn't blocked and auditors can be bypassed. Added htmlentities() on the output message of error thrown.
1 parent 753c886 commit 4530bb0

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

src/Embed.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,10 +48,10 @@ public static function create($request, array $config = array())
4848
$error = $request->getError();
4949

5050
if (empty($error)) {
51-
throw new Exceptions\InvalidUrlException(sprintf("The url '%s' returns the http code %s", $request->getUrl(), $request->getHttpCode()));
51+
throw new Exceptions\InvalidUrlException(sprintf("The url '%s' returns the http code %s", htmlentities($request->getUrl()), $request->getHttpCode()));
5252
}
5353

54-
throw new Exceptions\InvalidUrlException(sprintf("The url '%s' returns the following error: %s", $request->getUrl(), $error));
54+
throw new Exceptions\InvalidUrlException(sprintf("The url '%s' returns the following error: %s", htmlentities($request->getUrl()), $error));
5555
}
5656

5757
/**

0 commit comments

Comments
 (0)