mirror of
https://github.com/pi-hole/web.git
synced 2025-12-20 10:48:26 +00:00
8c0f785351
The information from `mg.request_info.request_uri` depends on the URL typed by the user. This information was used without any sanitization, allowing an attacker to send crafted links containing anything, including javascript code, which could be loaded and executed in a few pages. Replacing this value with `scriptname` variable fixes the issue, since this variable contains the name of the file currently being executed. This information cannot be externally manipulated and it is safe to be used on the page. Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>