From 9ea5437bb267508aded1b63b92c51894bbfeaebf Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 20:57:00 +0000
Subject: [PATCH] Escape user-supplied 'asdf' parameter in popuphelp.php to
 prevent reflected XSS

---
 popuphelp.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/popuphelp.php b/popuphelp.php
index be2bc58323..03be21eaff 100644
--- a/popuphelp.php
+++ b/popuphelp.php
@@ -19,7 +19,7 @@
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_GUEST);
 
-echo $_GET['asdf'];
+if (isset($_GET['asdf'])) echo htmlspecialchars($_GET['asdf'], ENT_QUOTES, 'UTF-8');
 
 $page['body_id'] = 'thePopuphelpPage';
 $title = l10n('Piwigo Help');