Autocomplete: Escape HTML tags in callback name to avoid XSS in demo

Fixes #15048
jquery · Sep 22, 2016 · 69e66ea · 69e66ea
1 parent c571d2f
commit 69e66ea
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/demos/autocomplete/search.php b/demos/autocomplete/search.php
@@ -586,7 +586,10 @@
 $output = json_encode($result);
 
 if ($_GET["callback"]) {
-	$output = $_GET["callback"] . "($output);";
+	// Escape special characters to avoid XSS attacks via direct loads of this
+	// page with a callback that contains HTML. This is a lot easier than validating
+	// the callback name.
+	$output = htmlspecialchars($_GET["callback"]) . "($output);";
 }
 
 echo $output;