Fix XSS vulnerability in registerActivation.tpl

This was introduced in a477e3522933a7204b02013cd6b6d47d0db1d254 when the
activation logic was refactored to no longer use numeric-only activation codes.

Thanks to Chabik Hatim for responsibly reporting the vulnerability.

diff --git a/com.woltlab.wcf/templates/registerActivation.tpl b/com.woltlab.wcf/templates/registerActivation.tpl
index f135cf460799bbdd3b590b88de277eb52a30cef5..24d97fe46ce0bfb07c08c5273e4c5daed9d9a0bb 100644 (file)
--- a/com.woltlab.wcf/templates/registerActivation.tpl
+++ b/com.woltlab.wcf/templates/registerActivation.tpl
@@ -25,7 +25,7 @@
                <dl{if $errorField == 'activationCode'} class="formError"{/if}>
                        <dt><label for="activationCode">{lang}wcf.user.activationCode{/lang}</label></dt>
                        <dd>
-                               <input type="text" id="activationCode" maxlength="40" name="activationCode" value="{@$activationCode}" required class="medium">
+                               <input type="text" id="activationCode" maxlength="40" name="activationCode" value="{$activationCode}" required class="medium">
                                {if $errorField == 'activationCode'}
                                        <small class="innerError">
                                                {if $errorType == 'empty'}