Hi,
I need to harden PHPMaker 2025 against reflected XSS via the language parameter.
I already fixed it in the global Language_Load event by whitelisting invalid language IDs back to DEFAULT_LANGUAGE_ID.
Now I want to harden the generated layout too.
The generated template currently uses CurrentLanguageID():
Would the correct fix be to use HtmlEncode(CurrentLanguageID():
What is the recommended persistent way to apply this in PHPMaker 2025:
- project/server event only
- shared template override
- extension/custom template
Files involved on my side:
- generated runtime:
src/userfn.php,views/layout.php - shared PHPMaker template:
@phpmaker/php2025/layout.php
Thanks.