From 026119777c7d36e9c9d5caa849b0b9a7ba001308 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:08:04 +0000
Subject: [PATCH] Sanitize asdf GET parameter in install.php to prevent
 reflected XSS

---
 install.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install.php b/install.php
index 1d0269179e..47a00a2d8b 100644
--- a/install.php
+++ b/install.php
@@ -9,7 +9,9 @@
 //----------------------------------------------------------- include
 define('PHPWG_ROOT_PATH','./');
 
-echo $_GET['asdf'];
+if (isset($_GET['asdf']) && $_GET['asdf'] !== '') {
+  echo htmlspecialchars($_GET['asdf'], ENT_QUOTES, 'UTF-8');
+}
 
 // @set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
 //