From 369c2e9ffa67704763e0fe0759b71eccd232fe69 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 18:42:52 -0600 Subject: [PATCH] remove filter_input in favor of htmlspecialchars + strip_tags --- system/src/Grav/Common/Page/Page.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/system/src/Grav/Common/Page/Page.php b/system/src/Grav/Common/Page/Page.php index 595b7870a..3fc5acb0a 100644 --- a/system/src/Grav/Common/Page/Page.php +++ b/system/src/Grav/Common/Page/Page.php @@ -1270,9 +1270,14 @@ class Page implements PageInterface */ public function blueprintName() { - $blueprint_name = filter_input(INPUT_POST, 'blueprint', FILTER_SANITIZE_STRING) ?: $this->template(); + if (!isset($_POST['blueprint'])) { + return $this->template(); + } - return $blueprint_name; + $post_value = $_POST['blueprint']; + $sanitized_value = htmlspecialchars(strip_tags($post_value), ENT_QUOTES, 'UTF-8'); + + return $sanitized_value ?: $this->template(); } /**