From 767a00c2c0a916f5ae3c3e9d0b2d0f5aaa0a362e Mon Sep 17 00:00:00 2001 From: Casey Peel Date: Sat, 11 Feb 2023 05:31:00 +0000 Subject: [PATCH] Validate page state on leaving proofreading UI Prevent XSS injection into "Save as Done" and "Return Page to Round" via the page state. --- tools/proofers/processtext.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/proofers/processtext.php b/tools/proofers/processtext.php index a2585aa6f1..78c11c18b9 100644 --- a/tools/proofers/processtext.php +++ b/tools/proofers/processtext.php @@ -5,6 +5,7 @@ include_once($relPath.'metarefresh.inc'); include_once($relPath.'misc.inc'); // array_get() include_once($relPath.'abort.inc'); +include_once($relPath.'Project.inc'); // $PROJECT_STATES_IN_ORDER include_once('PPage.inc'); include_once('proof_frame.inc'); include_once('text_frame_std.inc'); @@ -20,7 +21,7 @@ */ $projectid = get_projectID_param($_POST, 'projectid'); -$proj_state = $_POST['proj_state']; +$proj_state = get_enumerated_param($_POST, 'proj_state', null, $PROJECT_STATES_IN_ORDER); $imagefile = get_page_image_param($_POST, 'imagefile'); $text_data = array_get($_POST, 'text_data', '');