ORGANISATION-KA-INTERNATIONALE/kaubuntu.re
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix XSS vulnerabilities with proper output escaping

Browse Source
This commit is contained in:
Cédric Famibelle-Pronzola
2025-07-17 09:58:19 +04:00
parent 5be21cabcf
commit b2c9ae8154
2 changed files with 30 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ajax/load-more-videos.php
+16 -2
View File
@@ -9,6 +9,20 @@ if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQ
exit;
}
// Vérifier l'origine de la requête
if (!validateAjaxOrigin()) {
http_response_code(403);
echo json_encode(['error' => 'Origine non autorisée']);
exit;
}
// Vérifier le token CSRF
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
http_response_code(403);
echo json_encode(['error' => 'Token CSRF invalide']);
exit;
}
// Récupérer les paramètres
$type = isset($_GET['type']) ? $_GET['type'] : '';
$page = isset($_GET['page']) ? intval($_GET['page']) : 1;
@@ -83,9 +97,9 @@ switch ($type) {
$html = '';
foreach ($videos as $video) {
$html .= '<div class="video-card" data-video-id="' . $video['id'] . '">';
$html .= '<div class="video-card" data-video-id="' . htmlspecialchars($video['id']) . '">';
$html .= ' <div class="video-thumbnail">';
$html .= ' <img src="' . $video['thumbnail'] . '" alt="' . htmlspecialchars($video['title']) . '">';
$html .= ' <img src="' . htmlspecialchars($video['thumbnail']) . '" alt="' . htmlspecialchars($video['title']) . '">';
$html .= ' <div class="video-play-icon">';
$html .= ' <i class="fas fa-play-circle"></i>';
$html .= ' </div>';