From 0f5f2d960184db7333ecf7d52da406cae306412b Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Sat, 6 Aug 2011 15:05:59 -0400
Subject: [PATCH] XSS with IE <= 8.x (semicolon and attachment headers

---
 tbl_tracking.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tbl_tracking.php b/tbl_tracking.php
index 7cf7cd5223..5544ecdcdd 100644
--- a/tbl_tracking.php
+++ b/tbl_tracking.php
@@ -111,7 +111,7 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil
     foreach($entries as $entry) {
         $dump .= $entry['statement'];
     }
-    $filename = 'log_' . htmlspecialchars($_REQUEST['table']) . '.sql';
+    $filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql';
     header('Content-Type: text/x-sql');
     header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
     header('Content-Disposition: attachment; filename="' . $filename . '"');
-- 
2.11.4.GIT