From 374d6c6b19b1219ed9b27031fe8128ad9bb6cd72 Mon Sep 17 00:00:00 2001
From: Anton Reutov <a.reutov@outlook.com>
Date: Tue, 27 Jul 2021 22:01:10 +0300
Subject: [PATCH] htmlentities() for token

---
 web/add/user/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/add/user/index.php b/web/add/user/index.php
index 2cc79287f..f622b9d44 100644
--- a/web/add/user/index.php
+++ b/web/add/user/index.php
@@ -99,7 +99,7 @@ if (!empty($_POST['ok'])) {
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
         $_SESSION['ok_msg'] = __('USER_CREATED_OK',htmlentities($_POST['v_username']),htmlentities($_POST['v_username']));
-        $_SESSION['ok_msg'] .= " / <a href=/login/?loginas=".htmlentities($_POST['v_username']).">" . __('login as') ." ".htmlentities($_POST['v_username']). "</a>";
+        $_SESSION['ok_msg'] .= " / <a href=/login/?loginas=".htmlentities($_POST['v_username'])."&token=".htmlentities($_SESSION['token']).">" . __('login as') ." ".htmlentities($_POST['v_username']). "</a>";
         unset($v_username);
         unset($v_password);
         unset($v_email);