From e6532439d68234d86176e4d967609d68dd564c1d Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Sun, 3 Dec 2017 23:35:38 +0300
Subject: force strip_tags() on all user input unless explicitly allowed

---
 classes/pluginhandler.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'classes/pluginhandler.php')

diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php
index 1c9e7aef6..d10343e09 100644
--- a/classes/pluginhandler.php
+++ b/classes/pluginhandler.php
@@ -5,7 +5,7 @@ class PluginHandler extends Handler_Protected {
 	}
 
 	function catchall($method) {
-		$plugin = PluginHost::getInstance()->get_plugin($_REQUEST["plugin"]);
+		$plugin = PluginHost::getInstance()->get_plugin(clean($_REQUEST["plugin"]));
 
 		if ($plugin) {
 			if (method_exists($plugin, $method)) {
-- 
cgit v1.2.3