From: Andreas Gohr <gohr@cosmocode.de>
Date: Tue, 27 Jun 2017 15:04:23 +0200
X-Dgit-Generated: 0.0.20160626.a-2.1 ed9c66b49d621314958ae269c1c4c66e28b3f68b
Subject: filter special chars from ajax call parameter. fixes #2019


---

--- dokuwiki-0.0.20160626.a.orig/lib/exe/ajax.php
+++ dokuwiki-0.0.20160626.a/lib/exe/ajax.php
@@ -15,9 +15,9 @@ header('Content-Type: text/html; charset
 
 //call the requested function
 if($INPUT->post->has('call')){
-    $call = $INPUT->post->str('call');
+    $call = $INPUT->post->filter('utf8_stripspecials')->str('call');
 }else if($INPUT->get->has('call')){
-    $call = $INPUT->get->str('call');
+    $call = $INPUT->get->filter('utf8_stripspecials')->str('call');
 }else{
     exit;
 }
