From e6532439d68234d86176e4d967609d68dd564c1d Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Sun, 3 Dec 2017 23:35:38 +0300
Subject: force strip_tags() on all user input unless explicitly allowed

---
 classes/backend.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'classes/backend.php')

diff --git a/classes/backend.php b/classes/backend.php
index c9a595b86..d5d0f5a01 100644
--- a/classes/backend.php
+++ b/classes/backend.php
@@ -84,7 +84,7 @@ class Backend extends Handler {
 	}
 
 	function help() {
-		$topic = basename($_REQUEST["topic"]);
+		$topic = basename(clean($_REQUEST["topic"]));
 
 		switch ($topic) {
 		case "main":
-- 
cgit v1.2.3