[SECURITY] phpsec user system XSS

[AndrewCarterUK]

Note: I have been asked to log all the security issues that I have found by an OWASP contributor to support the decision to abandon this project. My personal opinion is that all of the code in this repository is beyond repair and that it is not wise to attempt to fix it.

Unescaped output:

phpsec/framework/control/users/temppasscontroller.php

Line 24 in 1999edc

$this->info .= "Your account <b>" . $_GET['user'] . "</b> is now activated." . "<BR>";

This happens in pretty much every controller in the directory.

You can also inject code into emails here:

phpsec/framework/control/users/temppasscontroller.php

Line 39 in 1999edc

$message .= \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/temppass?user=" . $_GET['user'] . "&mode=" . $_GET['mode'] ."&verification=" . $tempPass . "\n\n\n";