From ed085523c6446b28bbb60b209e67e46e5d60da1a Mon Sep 17 00:00:00 2001
From: longxinhui <longxinhui.e@gmail.com>
Date: Thu, 26 Nov 2020 18:07:55 +0800
Subject: [PATCH] Fix reflected XSS with symbol parameter #50

Fix reflected XSS with symbol parameter #50
---
 extension/php_xhprof.h          | 2 +-
 xhprof_lib/utils/xhprof_lib.php | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/extension/php_xhprof.h b/extension/php_xhprof.h
index cf3ce826..e7d42b5c 100755
--- a/extension/php_xhprof.h
+++ b/extension/php_xhprof.h
@@ -39,7 +39,7 @@ extern zend_module_entry xhprof_module_entry;
  */
 
 /* XHProf version                           */
-#define XHPROF_VERSION       "2.2.2-dev"
+#define XHPROF_VERSION       "2.2.3"
 
 #define XHPROF_FUNC_HASH_COUNTERS_SIZE   1024
 
diff --git a/xhprof_lib/utils/xhprof_lib.php b/xhprof_lib/utils/xhprof_lib.php
index 4a07e900..c63bf1eb 100644
--- a/xhprof_lib/utils/xhprof_lib.php
+++ b/xhprof_lib/utils/xhprof_lib.php
@@ -909,6 +909,10 @@ function xhprof_param_init($params) {
       $p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
     }
 
+    if ($k == 'symbol') {
+        $p = strip_tags($p);
+    }
+
     // create a global variable using the parameter name.
     $GLOBALS[$k] = $p;
   }