From a734909521487d48619767d646c9850c3ae23cfe Mon Sep 17 00:00:00 2001
From: Frostb1te <68353531+frostb1ten@users.noreply.github.com>
Date: Wed, 21 Sep 2022 09:56:52 -0500
Subject: [PATCH] Update rss.php

Fix for a Reflected XSS vulnerability. Attackers can add the X-Forwarded-Host header to inject XSS payloads.

 X-Forwarded-Host: <script>alert(document.cookie)</script>

This mitigation prevents  X-Forwarded-Host from being modified.
---
 docs/rss.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/rss.php b/docs/rss.php
index 7fbb9b2c13..9d7e28a1ca 100644
--- a/docs/rss.php
+++ b/docs/rss.php
@@ -22,7 +22,7 @@
 
 function generate_docs_rss(){
 	global $wgGitRepoPath ;
-	$baseUrl = 'http://' . $_SERVER['HTTP_HOST'] . str_replace('rss.php', '', $_SERVER['REQUEST_URI']);
+	$baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . str_replace('rss.php', '', $_SERVER['REQUEST_URI']);
 	ob_start();
 ?>
 <rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">