Add htmlentities to prevent xss

jaapmarcus · jaapmarcus · commit 2edde580b41d · 2021-09-09T10:46:06.000+02:00
diff --git a/web/templates/pages/list_key.html b/web/templates/pages/list_key.html
@@ -42,7 +42,7 @@
 								<a id="delete_link_<?=$i?>" class="data-controls do_delete" title="<?=_('delete');?>">
 									<i class="fas fa-trash status-icon red status-icon dim do_delete"></i>
 									<?php if (($_SESSION['userContext'] === 'admin') && (isset($_GET['user'])) && ($_GET['user'] !== 'admin')) { ?>
-										<input type="hidden" name="delete_url" value="/delete/key/?user=<?=$_GET['user']?>&key=<?=$key?>&token=<?=$_SESSION['token']?>" />
+										<input type="hidden" name="delete_url" value="/delete/key/?user=<?=htmlentities($_GET['user']);?>&key=<?=$key?>&token=<?=$_SESSION['token']?>" />
 									<?php } else { ?>
 										<input type="hidden" name="delete_url" value="/delete/key/?key=<?=$key?>&token=<?=$_SESSION['token']?>" />
 									<?php } ?>
