From b8bad3651077dccd22a729395813c3c4e2cca370 Mon Sep 17 00:00:00 2001
From: "Fedor A. Fetisov" <faf@ossg.ru>
Date: Fri, 25 Dec 2020 23:44:33 +0300
Subject: [PATCH] Fix XSS in error message (thanks to Sharif aka Vincent
 Pentester)

---
 .../libs/classes/Mibew/Controller/ButtonCodeController.php      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mibew/libs/classes/Mibew/Controller/ButtonCodeController.php b/src/mibew/libs/classes/Mibew/Controller/ButtonCodeController.php
index c885f00c..412d07a7 100644
--- a/src/mibew/libs/classes/Mibew/Controller/ButtonCodeController.php
+++ b/src/mibew/libs/classes/Mibew/Controller/ButtonCodeController.php
@@ -51,7 +51,7 @@ class ButtonCodeController extends AbstractController
         $image_locales_map = $this->getImageLocalesMap(MIBEW_FS_ROOT . '/locales');
         $image = $request->query->get('i', 'mibew');
         if (!isset($image_locales_map[$image])) {
-            $page['errors'][] = 'Unknown image: ' . $image;
+            $page['errors'][] = 'Unknown image: ' . htmlspecialchars($image);
             $avail = array_keys($image_locales_map);
             $image = $avail[0];
         }