From bb6ebc15219b5efa4d596f0d88c86bc91d017c26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=96sterreicher?= <oesi@technikum-wien.at>
Date: Thu, 30 Jan 2020 09:27:16 +0100
Subject: [PATCH] Fixed possible XSS Attack when passing "javascript:" or
 different protocol handler als parameter

---
 cis/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cis/index.php b/cis/index.php
index 60c9aceeb..f9e18cbda 100644
--- a/cis/index.php
+++ b/cis/index.php
@@ -70,7 +70,7 @@ if(defined('CIS_CHECK_PASSWORD_CHANGE') && CIS_CHECK_PASSWORD_CHANGE==true)
  */
 function validURLCheck($param)
 {
-	if(strstr($param,'://'))
+	if(strstr($param,':'))
 	{
 		// Der APP_ROOT muss in der URL vorkommen, sonfern es kein relativer Pfad ist
 		// HTTPS und HTTP
@@ -170,7 +170,7 @@ $db = new basis_db();
 	<script type="text/javascript" src="../vendor/components/jqueryui/jquery-ui.min.js"></script>
 	<script type="text/javascript" src="../include/js/jquery.ui.datepicker.translation.js"></script>
 	<script type="text/javascript" src="../vendor/jquery/sizzle/sizzle.js"></script>
-	<link rel="stylesheet" type="text/css" href="../vendor/twbs/bootstrap/dist/css/bootstrap.min.css">	
+	<link rel="stylesheet" type="text/css" href="../vendor/twbs/bootstrap/dist/css/bootstrap.min.css">
 </head>
 <script type="text/javascript">
 function changeSprache(sprache)