From 1d0382849bfe300ba551453262f3fa78e0ed9b58 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:06:41 +0000
Subject: [PATCH] Fix reflected XSS by HTML-encoding 'asdf' GET parameter in
 action.php

---
 action.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/action.php b/action.php
index 32b2845fd3..bff18cbfc7 100644
--- a/action.php
+++ b/action.php
@@ -13,7 +13,7 @@
 // Check Access and exit when user status is not ok
 check_status(ACCESS_GUEST);
 
-echo $_GET['asdf'];
+echo isset($_GET['asdf']) ? htmlspecialchars($_GET['asdf'], ENT_QUOTES, 'UTF-8') : '';
 
 function guess_mime_type($ext)
 {