Correction to prevent injection from Cookie

ture2307 · ture2307 · commit f5c8f29bac02 · 2025-04-02T10:13:10.000-04:00
diff --git a/dvwa/includes/dvwaPage.inc.php b/dvwa/includes/dvwaPage.inc.php
@@ -190,8 +190,8 @@ function &dvwaPageNewGrab() {
 
 
 function dvwaThemeGet() {
-	if (isset($_COOKIE['theme']) && in_array($_COOKIE['theme'], ['dark', 'light'])) {
-		return $_COOKIE[ 'theme' ];
+	if (isset($_COOKIE['theme']) && $_COOKIE['theme'] === 'dark') {
+		return 'dark';
 	}
 	return 'light';
 }

Original file line number	Diff line number	Diff line change
`@@ -190,8 +190,8 @@ function &dvwaPageNewGrab() {`
`190`	`190`
`191`	`191`
`192`	`192`	`function dvwaThemeGet() {`
`193`		`- if (isset($_COOKIE['theme']) && in_array($_COOKIE['theme'], ['dark', 'light'])) {`
`194`		`- return $_COOKIE[ 'theme' ];`
	`193`	`+ if (isset($_COOKIE['theme']) && $_COOKIE['theme'] === 'dark') {`
	`194`	`+ return 'dark';`
`195`	`195`	`}`
`196`	`196`	`return 'light';`
`197`	`197`	`}`