From 0413ec44148117a99e4ce5888e2d11af4790666d Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Wed, 23 Apr 2014 07:43:17 +0100
Subject: [PATCH] xssClean using 'html' filter

---
 editor.php              | 2 +-
 lib/settings-update.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/editor.php b/editor.php
index 83b53d4..8fab1c0 100644
--- a/editor.php
+++ b/editor.php
@@ -83,7 +83,7 @@ h2 {color: rgba(0,198,255,0.7)}
 		<span id="serverDT"></span><br><br>
 		<h2>your device</h2>
 		<span class="heading">Browser:</span><br>
-		<?php echo xssClean($_SERVER['HTTP_USER_AGENT'],"tags");?><br><br>
+		<?php echo xssClean($_SERVER['HTTP_USER_AGENT'],"html");?><br><br>
 		<span class="heading">Your IP:</span><br>
 		<?php echo $_SERVER['REMOTE_ADDR'];?><br><br>
 	</div>
diff --git a/lib/settings-update.php b/lib/settings-update.php
index be501e6..f4c5b7e 100644
--- a/lib/settings-update.php
+++ b/lib/settings-update.php
@@ -7,7 +7,7 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 	$repPosEnd = strpos($settingsContents,'"plugins"');
 
 	// Prepare all our vars
-	$ICEcoder["root"]			= strClean($_POST['root']);
+	$ICEcoder["root"]			= xssClean($_POST['root'],"html");
 	$ICEcoder["checkUpdates"]		= isset($_POST['checkUpdates']) && $_POST['checkUpdates'] ? "true" : "false";
 	$ICEcoder["openLastFiles"]		= isset($_POST['openLastFiles']) && $_POST['openLastFiles'] ? "true" : "false";
 	$ICEcoder["findFilesExclude"]		= 'array("'.str_replace(',','","',str_replace(" ","",strClean($_POST['findFilesExclude']))).'")';