Fix improperly escaped output in outages page (#15310)

Fixes XSS reported by https://huntr.dev/users/hainguyen0207
2024-10-07 16:52:45 +00:00 · 2023-09-13 23:10:37 -05:00
parent a1eb90fe69
commit 49d66fa31b
1 changed files with 2 additions and 2 deletions
--- a/includes/html/common/outages.inc.php
+++ b/includes/html/common/outages.inc.php
@ -39,8 +39,8 @@ var outages_grid = $("#outages").bootgrid({
    {
        return {
            device: ' . (empty($vars['device']) ? 'null' : (int) $vars['device']) . ',
-            to: "' . addcslashes($vars['to'], '"') . '",
-            from: "' . addcslashes($vars['from'], '"') . '",
+            to: "' . htmlspecialchars($vars['to']) . '",
+            from: "' . htmlspecialchars($vars['from']) . '",
        };
    },
    url: "' . url('/ajax/table/outages') . '"