From d0e8f692c65b055342b747684b93e277c691e98d Mon Sep 17 00:00:00 2001
From: Janis Steiner <89935073+jakani24@users.noreply.github.com>
Date: Sun, 19 Apr 2026 19:00:13 +0200
Subject: [PATCH] fix xss in send_to

fixing a major security vulnerability which allowed attackers to execute javascript via the send_to parameter
---
 app-code/api/login/redirect.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app-code/api/login/redirect.php b/app-code/api/login/redirect.php
index de7c840..2e51a91 100644
--- a/app-code/api/login/redirect.php
+++ b/app-code/api/login/redirect.php
@@ -5,7 +5,7 @@ header('Content-Type: application/json');
 include "../utils/get_location.php";
 
 $send_to=$_SESSION["end_url"];
-
+$send_to = htmlspecialchars(str_replace([':', ';', 'script', 'java','(',')'],'',$send_to));
 include "../../config/config.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);