Fix XSS in crossdomain.php

Thanks to Rektile404 for reporting this bug! https://github.com/rektile
2026-03-21 17:50:29 -05:00 · 2025-11-13 12:56:20 +00:00 · 2025-11-13 12:56:20 +00:00 · f12dec091d
commit f12dec091d
parent 64e79f49eb
1 changed files with 1 additions and 1 deletions
--- a/play.pokemonshowdown.com/crossdomain.php
+++ b/play.pokemonshowdown.com/crossdomain.php
@ -14,7 +14,7 @@ if (preg_match('/^([a-z0-9-_\.]*?)\.psim\.us$/', $host, $m)) {
 	die; // not authorised
 }

-$protocol = @$_REQUEST['protocol'] ?? 'http:';
+$protocol = @$_REQUEST['protocol'] === 'https:' ? 'https:' : 'http:';
 $portType = ($protocol === 'http:' ? 'port' : 'httpsport');

 if ($config['host'] !== 'showdown') {