From 4310fe7a55006d00d404c57c5ce09140e43548a2 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 12 Jun 2017 11:36:28 +0200
Subject: [PATCH] fixes #667, check $_GET['page'] to avoid XSS

This can be an issue only on Internet Explorer
---
 admin.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/admin.php b/admin.php
index bdd4abebe..bb9b91274 100644
--- a/admin.php
+++ b/admin.php
@@ -41,6 +41,8 @@ trigger_notify('loc_begin_admin');
 
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('page', $_GET, false, '/^[a-zA-Z\d_-]+$/');
+
 // +-----------------------------------------------------------------------+
 // | Direct actions                                                        |
 // +-----------------------------------------------------------------------+