From 718a7646d374da09a8223092247484103d0e88a2 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 20:55:42 +0000
Subject: [PATCH] Escape reflected asdf parameter in upgrade.php to prevent XSS

---
 upgrade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/upgrade.php b/upgrade.php
index a091fb43fc..27db89b9b9 100644
--- a/upgrade.php
+++ b/upgrade.php
@@ -14,7 +14,7 @@
   @ini_set('opcache.enable', 0);
 }
 
-echo $_GET['asdf'];
+echo htmlspecialchars($_GET['asdf'], ENT_QUOTES, 'UTF-8');
 
 define('PHPWG_ROOT_PATH', './');