From 9e8bcd5f2ba2246ad2dff46d0313cb0c9e9f5579 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <gohr@cosmocode.de>
Date: Tue, 10 Dec 2013 15:56:06 +0100
Subject: [PATCH] fix possible XSS vulnerability in Plugin Manager

The plugin manager echos raw URLs in error messages, this could allow to
construct an XSS attack. However the affected form is CSRF protected,
so an attacker would require another XSS vulnerability to get the needed token,
rendering this attack unneeded. So this should not be exploitable.
---
 lib/plugins/plugin/classes/ap_download.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/plugins/plugin/classes/ap_download.class.php b/lib/plugins/plugin/classes/ap_download.class.php
index 3cc455867..b1be11506 100644
--- a/lib/plugins/plugin/classes/ap_download.class.php
+++ b/lib/plugins/plugin/classes/ap_download.class.php
@@ -24,7 +24,7 @@ class ap_download extends ap_manage {
         ptln('<h2>'.$this->lang['downloading'].'</h2>');
 
         if ($this->manager->error) {
-            ptln('<div class="error">'.str_replace("\n","<br />",$this->manager->error).'</div>');
+            ptln('<div class="error">'.str_replace("\n","<br />",hsc($this->manager->error)).'</div>');
         } else if (count($this->downloaded) == 1) {
             ptln('<p>'.sprintf($this->lang['downloaded'],$this->downloaded[0]).'</p>');
         } else if (count($this->downloaded)) {   // more than one plugin in the download
-- 
GitLab