Merge pull request #107 from mehulmpt/master

oscarotero · oscarotero · commit df961350bb29 · 2015-11-26T17:22:55.000+01:00
Parsed down the URL parameter which earlier allowed XSS on page
diff --git a/demo/index.php b/demo/index.php
@@ -6,6 +6,11 @@
 
 function get($name, $default = '')
 {
+    if($name == 'url') {
+        if(filter_var($_GET['url'], FILTER_VALIDATE_URL)) {
+            return 'http://doNotTryToXSS.invalid';
+        }
+    }
     return isset($_GET[$name]) ? $_GET[$name] : $default;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,11 @@`
`6`	`6`
`7`	`7`	`function get($name, $default = '')`
`8`	`8`	`{`
	`9`	`+ if($name == 'url') {`
	`10`	`+ if(filter_var($_GET['url'], FILTER_VALIDATE_URL)) {`
	`11`	`+ return 'http://doNotTryToXSS.invalid';`
	`12`	`+ }`
	`13`	`+ }`
`9`	`14`	`return isset($_GET[$name]) ? $_GET[$name] : $default;`
`10`	`15`	`}`
`11`	`16`