From 573dddeef0ca68157be8f93cbbc5176b4a162b17 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:22:50 +0000
Subject: [PATCH] Fix reflected XSS in comments.php by HTML-encoding 'asdf' GET
 parameter

---
 comments.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/comments.php b/comments.php
index 817601120d..db332deb3f 100644
--- a/comments.php
+++ b/comments.php
@@ -13,7 +13,7 @@
 include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
 include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
 
-echo $_GET['asdf'];
+echo isset($_GET['asdf']) ? htmlspecialchars($_GET['asdf'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') : '';
 
 if (!$conf['activate_comments'])
 {