This is a blog of current Qcodo and Qcodo website development activities. Official Qcodo announcements will also be posted here.
Fortunately, it's a simple one-line fix. The fix will obviously be in the upcoming v0.4.21 release... but for those that do not want to update right away but would like to patch this vulnerability, please feel free to view the commit information on github
In short, it's a one line fix on or around line 911 of QFormBase.class.php. All you need to do is wrap the reference to QApplication::$RequestUri around a QApplication::HtmlEntities() method call, so that the line should now read:
$strToReturn .= sprintf('<form method="post" id="%s" action="%s"%s>', $this->strFormId, QApplication::HtmlEntities(QApplication::$RequestUri), $strFormAttributes);
Hopefully this is clear and should be a straightforward fix for everyone. Given the nature of the vulnerability (e.g. XSS vulnerabilities are never good), I would highly recommend that everyone apply this patch as soon as possible.
Please post with any questions. Thanks!