From 42fdd1fbe98c263b8432b7283ca89327d8c51fc7 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Thu, 8 Dec 2016 15:52:21 -0500 Subject: [PATCH] Use htmlentities on the error message when dying because the string will be sent to the browser and if it includes scripts they will be run. --- web/includes/logger.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/includes/logger.php b/web/includes/logger.php index 94c00a8d1..03854dbf9 100644 --- a/web/includes/logger.php +++ b/web/includes/logger.php @@ -528,7 +528,7 @@ function Error( $string ) function Fatal( $string ) { Logger::fetch()->logPrint( Logger::FATAL, $string ); - die( $string ); + die( htmlentities($string) ); } function Panic( $string )