# XXX: form token in $_SESSION to prevent XSS
# XXX: login throttle
$openid_url = $this->trimmed('openid_url');
- if (!common_valid_http_url($openid_url)) {
- $this->show_form(_t('OpenID must be a valid URL.'));
- return;
- }
$consumer = oid_consumer();
$form_id = 'openid_message';
$form_html = $auth_request->formMarkup($trust_root, $process_url,
false, array('id' => $form_id));
-
+
+ # XXX: This is cheap, but things choke if we don't escape ampersands
+ # in the HTML attributes
+
+ $form_html = preg_replace('/&/', '&', $form_html);
+
// Display an error if the form markup couldn't be generated;
// otherwise, render the HTML.
if (Auth_OpenID::isFailure($form_html)) {
common_element('script', NULL,
'$(document).ready(function() { ' .
' $("#'. $form_id .'").submit(); '.
- '}');
+ '});');
common_show_footer();
}
}
projects / quix0rs-gnu-social.git / blobdiff