Encode 'from' and 'to' before output on pkg_mgr_install.php. Fixes #7225

author: jim-p <jimp@pfsense.org> 2017-02-07 11:14:25 -0500
committer: jim-p <jimp@pfsense.org> 2017-02-07 11:14:25 -0500
commit: 2c06742d784cb7ec85151327fd753536d98fbcc1 (patch)
tree: 116680309fe72c7bea457042239c886d1dc15dac /src/usr/local/www/pkg_mgr_install.php
parent: db7a10ab66d8565ce56192bdfd6f62b0a69aac5d (diff)
download: pfsense-2c06742d784cb7ec85151327fd753536d98fbcc1.zip
pfsense-2c06742d784cb7ec85151327fd753536d98fbcc1.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/usr/local/www/pkg_mgr_install.php b/src/usr/local/www/pkg_mgr_install.php
index 9e11d80..5d1f10f 100644
--- a/src/usr/local/www/pkg_mgr_install.php
+++ b/src/usr/local/www/pkg_mgr_install.php
@@ -294,7 +294,7 @@ if (!$confirmed && !$completed &&
 <?php
 			elseif ($_GET['from'] && $_GET['to']):
 ?>
-				<?=sprintf(gettext('Confirmation Required to upgrade package %1$s from %2$s to %3$s.'), $pkgname, $_GET['from'], $_GET['to'])?>
+				<?=sprintf(gettext('Confirmation Required to upgrade package %1$s from %2$s to %3$s.'), $pkgname, htmlspecialchars($_GET['from']), htmlspecialchars($_GET['to']))?>
 <?php
 			elseif ($firmwareupdate):
 ?>
author	jim-p <jimp@pfsense.org>	2017-02-07 11:14:25 -0500
committer	jim-p <jimp@pfsense.org>	2017-02-07 11:14:25 -0500
commit	2c06742d784cb7ec85151327fd753536d98fbcc1 (patch)
tree	116680309fe72c7bea457042239c886d1dc15dac /src/usr/local/www/pkg_mgr_install.php
parent	db7a10ab66d8565ce56192bdfd6f62b0a69aac5d (diff)
download	pfsense-2c06742d784cb7ec85151327fd753536d98fbcc1.zip pfsense-2c06742d784cb7ec85151327fd753536d98fbcc1.tar.gz