Encode the contents of pkg_filter before output. Fixes #7227

author: jim-p <jimp@pfsense.org> 2017-02-07 11:45:20 -0500
committer: jim-p <jimp@pfsense.org> 2017-02-07 11:45:20 -0500
commit: 6ac61204bc9e4cff54c818ecc71d20d2626a02e1 (patch)
tree: 37b70862a11ba455fee35c66b1cdc5d9523cee0d /src/usr/local/www/pkg.php
parent: 2c06742d784cb7ec85151327fd753536d98fbcc1 (diff)
download: pfsense-6ac61204bc9e4cff54c818ecc71d20d2626a02e1.zip
pfsense-6ac61204bc9e4cff54c818ecc71d20d2626a02e1.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/usr/local/www/pkg.php b/src/usr/local/www/pkg.php
index 84aef95..08c0b1c 100644
--- a/src/usr/local/www/pkg.php
+++ b/src/usr/local/www/pkg.php
@@ -346,7 +346,7 @@ if ($savemsg) {
 					echo "</select>";
 				}
 				if ($include_filtering_inputbox) {
-					echo '&nbsp;&nbsp;' . gettext("Filter text: ") . '<input id="pkg_filter" name="pkg_filter" value="' . $_REQUEST['pkg_filter'] . '" />';
+					echo '&nbsp;&nbsp;' . gettext("Filter text: ") . '<input id="pkg_filter" name="pkg_filter" value="' . htmlspecialchars($_REQUEST['pkg_filter']) . '" />';
 					echo '&nbsp;<button type="submit" value="Filter" class="btn btn-primary btn-xs">';
 					echo '<i class="fa fa-filter icon-embed-btn"></i>';
 					echo gettext("Filter");
author	jim-p <jimp@pfsense.org>	2017-02-07 11:45:20 -0500
committer	jim-p <jimp@pfsense.org>	2017-02-07 11:45:20 -0500
commit	6ac61204bc9e4cff54c818ecc71d20d2626a02e1 (patch)
tree	37b70862a11ba455fee35c66b1cdc5d9523cee0d /src/usr/local/www/pkg.php
parent	2c06742d784cb7ec85151327fd753536d98fbcc1 (diff)
download	pfsense-6ac61204bc9e4cff54c818ecc71d20d2626a02e1.zip pfsense-6ac61204bc9e4cff54c818ecc71d20d2626a02e1.tar.gz