Merge tag 'v0.9.3' into latest

Release v0.9.3

4 files changed, 12 insertions, 4 deletions

diff --git a/AUTHORS b/AUTHORS
index 105561c1..57ff612a 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -1,5 +1,5 @@
-   537  ArthurHoaro <arthur@hoa.ro>
-   252  VirtualTam <virtualtam@flibidi.net>
+   542  ArthurHoaro <arthur@hoa.ro>
+   255  VirtualTam <virtualtam@flibidi.net>
    148  nodiscc <nodiscc@gmail.com>
     56  Sébastien Sauvage <sebsauvage@sebsauvage.net>
     15  Florian Eula <eula.florian@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 511a6bce..0a7b120c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [v0.9.3](https://github.com/shaarli/Shaarli/releases/tag/v0.9.3) - 2018-01-04
+
+**XSS vulnerability fixed. Please update.**
+
+### Security
+- Fix an XSS (cross-site-scripting) vulnerability in `index.php`
+
+
 ## [v0.9.2](https://github.com/shaarli/Shaarli/releases/tag/v0.9.2) - 2017-10-07
 
 **Major security issue fixed. Please update.**
diff --git a/index.php b/index.php
index 4068a828..c26f50d1 100644
--- a/index.php
+++ b/index.php
@@ -431,7 +431,7 @@ if (isset($_POST['login']))
     else
     {
         ban_loginFailed($conf);
-        $redir = '&username='. $_POST['login'];
+        $redir = '&username='. urlencode($_POST['login']);
         if (isset($_GET['post'])) {
             $redir .= '&post=' . urlencode($_GET['post']);
             foreach (array('description', 'source', 'title', 'tags') as $param) {
diff --git a/shaarli_version.php b/shaarli_version.php
index 035a86a6..a92b5619 100644
--- a/shaarli_version.php
+++ b/shaarli_version.php
@@ -1 +1 @@
-<?php /* 0.9.2 */ ?>
+<?php /* 0.9.3 */ ?>