Remove non-digit chars from isbn to prevent html insertion attacks

diff --git a/includes/SpecialBooksources.php b/includes/SpecialBooksources.php
index f0017f5..b1ae00f 100644 (file)
--- a/includes/SpecialBooksources.php
+++ b/includes/SpecialBooksources.php
@@ -5,7 +5,7 @@
 
 function wfSpecialBooksources()
 {
-       $isbn = $_REQUEST["isbn"];
+       $isbn = preg_replace( '/[^0-9X]/', '', $_REQUEST["isbn"] );
 
        $bsl = new BookSourceList( $isbn );
        $bsl->show();