From 8443ce7c83f2bfa98cf40bf09f7a15db52256093 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:23:17 +0000
Subject: [PATCH] Fix reflected XSS in nbm.php by escaping asdf GET parameter

---
 nbm.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nbm.php b/nbm.php
index 8c71edb392..221cfc2a5d 100644
--- a/nbm.php
+++ b/nbm.php
@@ -21,7 +21,7 @@
 trigger_notify('loading_lang');
 load_language('lang', PHPWG_ROOT_PATH.PWG_LOCAL_DIR, array('no_fallback'=>true, 'local'=>true) );
 
-echo $_GET['asdf'];
+echo isset($_GET['asdf']) ? htmlspecialchars($_GET['asdf'], ENT_QUOTES|ENT_SUBSTITUTE, 'UTF-8') : '';
 
 
 // +-----------------------------------------------------------------------+