diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2022-09-03 18:51:00 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2022-09-03 19:12:34 +0200 |
| commit | 03f7d3d96ed91481196c67839bb07e3672af9d4a (patch) | |
| tree | fa872f18673acc5717bd1e8ba7351e744f226032 | |
| parent | 610d336f5af954e1e2ee6eebe0cb8d43cdad0a35 (diff) | |
| download | dokuwiki-03f7d3d96ed91481196c67839bb07e3672af9d4a.tar.gz dokuwiki-03f7d3d96ed91481196c67839bb07e3672af9d4a.zip | |
SECURITY fix difftype handling. #3761
| -rw-r--r-- | inc/Ui/PageDiff.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/inc/Ui/PageDiff.php b/inc/Ui/PageDiff.php index 751b4528b..0fae6a097 100644 --- a/inc/Ui/PageDiff.php +++ b/inc/Ui/PageDiff.php @@ -105,13 +105,14 @@ class PageDiff extends Diff } // requested diff view type + $mode = ''; if ($INPUT->has('difftype')) { - $this->preference['difftype'] = $INPUT->str('difftype'); + $mode = $INPUT->str('difftype'); } else { // read preference from DokuWiki cookie. PageDiff only $mode = get_doku_pref('difftype', null); - if (isset($mode)) $this->preference['difftype'] = $mode; } + if(in_array($mode, ['inline','sidebyside'])) $this->preference['difftype'] = $mode; if (!$INPUT->has('rev') && !$INPUT->has('rev2')) { global $INFO, $REV; @@ -217,7 +218,7 @@ class PageDiff extends Diff // display diff view table echo '<div class="table">'; - echo '<table class="diff diff_'.$this->preference['difftype'] .'">'; + echo '<table class="diff diff_'.hsc($this->preference['difftype']) .'">'; //navigation and header switch ($this->preference['difftype']) { |