Description
Several locations in notify_lists.php interpolate get_request_var('id') directly into JavaScript string literals without html_escape() or intval().
Affected Files
notify_lists.php lines 1141, 1151, 1512, 1523, 1803, 1811
Risk
Post-authentication reflected XSS if id is not validated as integer in all code paths. The page hidden inputs at thold_graph.php lines 254 and 1267 have the same pattern but are integer-validated, making them very low risk.
Suggested Fix
Wrap all get_request_var('id') outputs in JS context with intval() or use html_escape() at the output site.
Description
Several locations in
notify_lists.phpinterpolateget_request_var('id')directly into JavaScript string literals withouthtml_escape()orintval().Affected Files
notify_lists.phplines 1141, 1151, 1512, 1523, 1803, 1811Risk
Post-authentication reflected XSS if
idis not validated as integer in all code paths. Thepagehidden inputs atthold_graph.phplines 254 and 1267 have the same pattern but are integer-validated, making them very low risk.Suggested Fix
Wrap all
get_request_var('id')outputs in JS context withintval()or usehtml_escape()at the output site.