From 0f34a7c732947b7518146847a5166cc3a1903520 Mon Sep 17 00:00:00 2001
From: markjcrane <markjcrane@gmail.com>
Date: Sun, 25 Jul 2021 08:23:11 -0600
Subject: [PATCH] Use the escape function on name_filter to prevent XSS

---
 app/basic_operator_panel/resources/content.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/basic_operator_panel/resources/content.php b/app/basic_operator_panel/resources/content.php
index ae123ba9ba..e7f1ebae77 100644
--- a/app/basic_operator_panel/resources/content.php
+++ b/app/basic_operator_panel/resources/content.php
@@ -155,9 +155,9 @@ if (is_array($groups) && @sizeof($groups) > 0) {
 }
 echo "				<td valign='top' nowrap='nowrap'>";
 echo "					<input type='hidden' id='extension_filter' value=\"".escape($_REQUEST['extension_filter'])."\">";
-echo "					<input type='hidden' id='name_filter' value=\"".strtolower($_REQUEST['name_filter'])."\">";
+echo "					<input type='hidden' id='name_filter' value=\"".strtolower(escape($_REQUEST['name_filter']))."\">";
 echo "					<input type='text' class='formfld' placeholder='Filter Extension' value=\"".escape($_REQUEST['extension_filter'])."\" onkeyup=\"document.getElementById('extension_filter').value = this.value; refresh_start();\" onfocus='refresh_stop();'>\n";
-echo "					<input type='text' class='formfld' placeholder='Filter Name' value=\"".strtolower($_REQUEST['name_filter'])."\" onkeyup=\"document.getElementById('name_filter').value = this.value; refresh_start();\" onfocus='refresh_stop();'>\n";
+echo "					<input type='text' class='formfld' placeholder='Filter Name' value=\"".strtolower(escape($_REQUEST['name_filter']))."\" onkeyup=\"document.getElementById('name_filter').value = this.value; refresh_start();\" onfocus='refresh_stop();'>\n";
 echo "					<input type='button' class='btn' title=\"Clear\" value=\"Clear\" onclick=\"document.getElementById('extension_filter').value = ''; document.getElementById('name_filter').value = '';\" ".$onhover_pause_refresh.">";
 echo "				</td>";
 echo "				</tr>";