From f12dec091d098b13620e099a39cd2279b5c9ddb3 Mon Sep 17 00:00:00 2001
From: Guangcong Luo <guangcongluo@gmail.com>
Date: Thu, 13 Nov 2025 12:56:20 +0000
Subject: [PATCH] Fix XSS in crossdomain.php

Thanks to Rektile404 for reporting this bug!

https://github.com/rektile
---
 play.pokemonshowdown.com/crossdomain.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/play.pokemonshowdown.com/crossdomain.php b/play.pokemonshowdown.com/crossdomain.php
index cde6bc68b..e31ea6244 100644
--- a/play.pokemonshowdown.com/crossdomain.php
+++ b/play.pokemonshowdown.com/crossdomain.php
@@ -14,7 +14,7 @@ if (preg_match('/^([a-z0-9-_\.]*?)\.psim\.us$/', $host, $m)) {
 	die; // not authorised
 }
 
-$protocol = @$_REQUEST['protocol'] ?? 'http:';
+$protocol = @$_REQUEST['protocol'] === 'https:' ? 'https:' : 'http:';
 $portType = ($protocol === 'http:' ? 'port' : 'httpsport');
 
 if ($config['host'] !== 'showdown') {