Merge pull request #1 from silverstripe-security/fixes/ss-2015-016

[ss-2015-016]: Fix XSS in install.php
2024-10-02 14:18:46 +02:00 · 2015-09-09 09:48:56 +12:00 · 2015-09-09 09:48:56 +12:00 · 4c73721bab
commit 4c73721bab
parent 751d77386c d8fd64c3e2
1 changed files with 2 additions and 2 deletions
--- a/dev/install/config-form.html
+++ b/dev/install/config-form.html
@ -202,14 +202,14 @@
 									<div class="field">	
 										<label for="admin_username">Email:</label>
 										<span class="middleColumn">
-											<input type="text" class="text configured-by-env" name="admin[username]" id="admin_username" value="<?php echo $adminConfig['username']; ?>" <?php if($usingEnv && defined('SS_DEFAULT_ADMIN_USERNAME')) echo 'disabled="disabled"' ?>>
+											<input type="text" class="text configured-by-env" name="admin[username]" id="admin_username" value="<?php echo htmlspecialchars($adminConfig['username'], ENT_QUOTES, 'UTF-8'); ?>" <?php if($usingEnv && defined('SS_DEFAULT_ADMIN_USERNAME')) echo 'disabled="disabled"' ?>>
 										</span>
 									</div>
 									
 									<div class="field">
 										<label for="admin_password">Password:</label>
 										<span class="middleColumn">
-											<input type="password" class="text configured-by-env" name="admin[password]" id="admin_password" value="<?php echo $adminConfig['password']; ?>" <?php if($usingEnv && defined('SS_DEFAULT_ADMIN_PASSWORD')) echo 'disabled="disabled"' ?>>
+											<input type="password" class="text configured-by-env" name="admin[password]" id="admin_password" value="<?php echo htmlspecialchars($adminConfig['password'], ENT_QUOTES, 'UTF-8'); ?>" <?php if($usingEnv && defined('SS_DEFAULT_ADMIN_PASSWORD')) echo 'disabled="disabled"' ?>>
 										</span>
 									</div>
 								</div>