From c17ea82a805bef2183ad2cc3b8c145c6d971e0bb Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 29 Dec 2017 12:32:45 +0100
Subject: [PATCH] Fixed #4894 XSS vulnerability in global search

---
 interface/web/dashboard/ajax_get_json.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/interface/web/dashboard/ajax_get_json.php b/interface/web/dashboard/ajax_get_json.php
index 30a668a77f..32fc8912e0 100644
--- a/interface/web/dashboard/ajax_get_json.php
+++ b/interface/web/dashboard/ajax_get_json.php
@@ -189,6 +189,7 @@ function _search($module, $section, $additional_sql = '', $params = ''){
 
 		$sql = "SELECT * FROM ?? WHERE ".$where_clause.$authsql.$order_clause." LIMIT 0,10";
 		$results = $app->db->queryAllRecords($sql, $db_table);
+		$results = $app->functions->htmlentities($results);
 
 		if(is_array($results) && !empty($results)){
 			$lng_file = '../'.$module.'/lib/lang/'.$_SESSION['s']['language'].'_'.$section.'.lng';
-- 
GitLab