From d9cd81508be6c3c11692811c24d8c8ff7f0b7ff8 Mon Sep 17 00:00:00 2001
From: divinity76 <divinity76@gmail.com>
Date: Fri, 19 Apr 2019 21:23:57 +0200
Subject: [PATCH] patch XSS vulnerability (#358)

the powergamers page was vulnerable to XSS/javascript injection, this should fix it.

XSS screenshot: https://i.imgur.com/4rJuWqY.png
XSS POC:

<form action="https://<censored>/powergamers.php" method="POST">
<input type="hidden" name="days[]" value="3" />
<input type="hidden" name="days[]" value="1&lt;script&gt;alert(&quot;XSS running!&quot;);&lt;/script&gt;" />
<input type="submit" value="click here to start xss" />
</form>
---
 powergamers.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/powergamers.php b/powergamers.php
index e7e7042..e6d1af9 100644
--- a/powergamers.php
+++ b/powergamers.php
@@ -15,8 +15,8 @@ include 'layout/overall/footer.php';
 	$today = true;
 	if ($days) {
 		$selected = ($_POST['days']);
-		$days = $selected[1];
-		$vocation = $selected[0];
+		$days = (int) $selected[1];
+		$vocation = (int) $selected[0];
 		if ($days > 0)
 		$today = false;
 	} else {