if ($form_tag_attrs) {
foreach ($form_tag_attrs as $name => $attr) {
- $form .= sprintf(" %s=\"%s\"", $name, $attr);
+ $form .= sprintf(" %s=\"%s\"", $name, htmlspecialchars($attr));
}
}
foreach ($this->toPostArgs() as $name => $value) {
$form .= sprintf(
"<input type=\"hidden\" name=\"%s\" value=\"%s\" />\n",
- $name, $value);
+ htmlspecialchars($name), htmlspecialchars($value));
}
$form .= sprintf("<input type=\"submit\" value=\"%s\" />\n",
- $submit_text);
+ htmlspecialchars($submit_text));
$form .= "</form>\n";