SA-CORE-2010-001 - request_uri() can not be used as is in HTML

Created on 10 January 2010, almost 15 years ago
Updated 11 December 2024, 11 days ago
$status_report .= 'Check the error messages and <a href="' . request_uri() . '">try again</a>.';

The output of request_uri() cannot be used as is in HTML. It needs to be escaped.

Marking "critical" as it is a potential XSS bug, though quite hard to exploit.

🐛 Bug report
Status

Fixed

Version

7.0 ⚰️

Component

update system

Created by

🇳🇱Netherlands heine

Live updates comments and jobs are added and updated live.
  • Security Advisory follow-up

    This tag is to be applied to issues where an official security release has been made, but the fix needs to be ported to the development version of the code.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024