From c3b811393de63e324eaa64fe5c9ea3fce428fe1a Mon Sep 17 00:00:00 2001
From: markjcrane <markjcrane@gmail.com>
Date: Sun, 25 Jul 2021 13:59:10 -0600
Subject: [PATCH] Fix XSS on login page by removing $_REQUEST[path]

---
 resources/login.php | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/resources/login.php b/resources/login.php
index 03f2ddaa93..8c743553fe 100644
--- a/resources/login.php
+++ b/resources/login.php
@@ -242,11 +242,6 @@
 //set variable if not set
 	if (!isset($_SESSION['login']['domain_name_visible']['boolean'])) { $_SESSION['login']['domain_name_visible']['boolean'] = null; }
 
-//set the requested destination after login
-	if (!empty($_REQUEST['path'])) {
-		$_SESSION['login']['destination']['url'] = $_REQUEST['path'];
-	}
-
 //set a default login destination
 	if (strlen($_SESSION['login']['destination']['url']) == 0) {
 		$_SESSION['login']['destination']['url'] = PROJECT_PATH."/core/user_settings/user_dashboard.php";