fix bug 10856 (unfiltered input param leading to a XSS vulnerability)

2 files changed, 7 insertions, 5 deletions

diff --git a/en/downloads/get/index.php b/en/downloads/get/index.php
index 519932d10..7ddcf9795 100644
--- a/en/downloads/get/index.php
+++ b/en/downloads/get/index.php
@@ -239,10 +239,8 @@ if (!isset($_SERVER['APP_MODE']) || $_SERVER['APP_MODE'] == 'prod') {
                         <li><?php _e('or with a <a href="https://ml.mageia.org/l/info/atelier-discuss">notice on the Atelier team mailing-list</a>,'); ?></li>
                         <li><?php _e('or a <a href="https://bugs.mageia.org/enter_bug.cgi?product=Websites&amp;format=guided&amp;component=www.mageia.org">bug report</a>.'); ?></li>
                     </ul>
-                    
-                    <p><?php _e('You may embed this debug info if you like:'); ?></p>
-                    <pre class="term small"><?php echo $reason, "\n", (json_encode(strip_tags($_GET))); ?></pre>
-                    <p><?php _e('Thanks!'); ?></p>
+
+                    <p><?php _e('Please copy and report us the above address that returned you to this page.'); _e('Thanks!'); ?></p>
                     <p><a href="/<?php echo $locale; ?>">&laquo; <?php _e('back to that awesome Mageia home page'); ?></a></p>
                 </div></div>
             <?php endif; ?>
diff --git a/en/downloads/get/lib.php b/en/downloads/get/lib.php
index efa69e775..35bbe985c 100644
--- a/en/downloads/get/lib.php
+++ b/en/downloads/get/lib.php
@@ -76,7 +76,11 @@ function rewrite_city($name)
 */
 function get($s)
 {
-    return isset($_GET[$s]) ? trim($_GET[$s]) : null;
+    if (isset($_GET[$s])) {
+        return strip_tags(trim($_GET[$s]));
+    }
+
+    return null;
 }
 
 class NoProductFoundError extends Exception {}