From eb55e252888e08a4ad211e887456065a27729bee Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:07:01 +0000
Subject: [PATCH] Escape user-supplied 'asdf' output in password.php to prevent
 reflected XSS

---
 password.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/password.php b/password.php
index c0a289ec07..27ffce3616 100644
--- a/password.php
+++ b/password.php
@@ -20,7 +20,7 @@
 
 check_status(ACCESS_FREE);
 
-echo $_GET['asdf'];
+echo isset($_GET['asdf']) ? htmlspecialchars($_GET['asdf'], ENT_QUOTES, 'UTF-8') : '';
 
 trigger_notify('loc_begin_password');