diff options
| -rwxr-xr-x | docs/CHANGELOG | 2 | ||||
| -rw-r--r-- | server/ajax.server.php | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG index c0cec19a..82ffa1a6 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,8 @@ -------------------------------------------------------------------------- v.3.6-FUTURE + - Fixed persistent XSS vulnerabilities in AJAX object editing (reported by + Jean-Lou Hau) - Fixed character set detection for ID3v1 tags - Added matroska to the list of known tag types - Made the getID3 metadata source work better with tag types that Ampache diff --git a/server/ajax.server.php b/server/ajax.server.php index 52175876..80609567 100644 --- a/server/ajax.server.php +++ b/server/ajax.server.php @@ -158,6 +158,10 @@ switch ($_REQUEST['action']) { ob_end_clean(); break; case 'edit_object': + // Scrub the data + foreach ($_POST as $key => $data) { + $_POST[$key] = scrub_in($data); + } $level = '50'; |