From 7e774b8f77bcade35f04a83f72a60f28d440cdca Mon Sep 17 00:00:00 2001
From: Olivier Bado-Faustin <12731381+Badatos@users.noreply.github.com>
Date: Tue, 2 Dec 2025 15:46:35 +0100
Subject: [PATCH] escape rev and search to avoid XSS breach

---
 include/setup.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/setup.php b/include/setup.php
index 879dc340..a4ac77d6 100644
--- a/include/setup.php
+++ b/include/setup.php
@@ -585,6 +585,7 @@ function createRevisionSelectionForm() {
 	$vars['revision_form'] = '<form method="get" action="" id="revision">'.$hidden;
 	if ($rev === null)
 		$rev = (int)@$_REQUEST['rev'];
+	$rev = escape($rev);
 	$vars['revision_input'] = '<input type="text" size="5" name="rev" placeholder="'.($rev ? $rev : 'HEAD').'" />';
 	$vars['revision_submit'] = '<input type="submit" value="'.$lang['GO'].'" />';
 	$vars['revision_endform'] = '</form>';
@@ -611,6 +612,7 @@ function createSearchSelectionForm() {
 	$vars['search'] = true;
 	$vars['search_form'] = '<form method="get" action="'.$config->getURL($rep, '', 'search').'" id="search">'.$hidden;
 	$search = $search? $search : $lang['SEARCH_PLACEHOLDER'];
+	$search = escape($search);
 	$vars['search_input'] = '<input type="text" size="20" name="search" placeholder="'.$search.'" />';
 	$vars['search_submit'] = '<input type="submit" value="'.$lang['SEARCH'].'" />';
 	$vars['search_endform'] = '</form>';