Special characters should be escaped

author Michael Vogel <ike@pirati.ca>

Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)

committer Michael Vogel <ike@pirati.ca>

Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
author Michael Vogel <ike@pirati.ca>
Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
committer Michael Vogel <ike@pirati.ca>
Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
diff --git a/mod/profile.php b/mod/profile.php

index 681b1dbd1cdd45974b9ee00b16ccf83dbcb9c544..a8a6ad3885d679a4bb40535c5df5191813655dd2 100644 (file)
--- a/mod/profile.php
+++ b/mod/profile.php
@@ -10,7 +10,7 @@ function profile_init(&$a) {
                 $a->page['aside'] = '';
  
         if($a->argc > 1)
-               $which = $a->argv[1];
+               $which = htmlspecialchars($a->argv[1]);
         else {
                 $r = q("select nickname from user where blocked = 0 and account_expired = 0 and account_removed = 0 and verified = 1 order by rand() limit 1");
                 if(count($r)) {
@@ -27,7 +27,7 @@ function profile_init(&$a) {
         $profile = 0;
         if((local_user()) && ($a->argc > 2) && ($a->argv[2] === 'view')) {
                 $which = $a->user['nickname'];
-               $profile = $a->argv[1];
+               $profile = htmlspecialchars($a->argv[1]);
         }
         else {
                 auto_redir($a, $which);
diff --git a/view/theme/frio/php/default.php b/view/theme/frio/php/default.php

index db3a92a62634299a47345694d5a5eb666f7a47c0..bfc11a35806abd10a08efef110f17b74777c6413 100644 (file)
--- a/view/theme/frio/php/default.php
+++ b/view/theme/frio/php/default.php
@@ -17,7 +17,7 @@
  <html>
  <head>
         <title><?php if(x($page,'title')) echo $page['title'] ?></title>
-       <meta request="<?php echo $_REQUEST['pagename'] ?> ">
+       <meta request="<?php echo htmlspecialchars($_REQUEST['pagename']) ?> ">
         <script>var baseurl="<?php echo $a->get_baseurl() ?>";</script>
         <script>var frio="<?php echo "view/theme/frio"; ?>";</script>
         <?php $baseurl = $a->get_baseurl(); ?>
diff --git a/view/theme/frio/php/standard.php b/view/theme/frio/php/standard.php

index 5535b9ed71340a9b5a628dfb2bbb56cde2af5dac..4a92a6aecfa63efbe8ca0c755453367e5cc9c44a 100644 (file)
--- a/view/theme/frio/php/standard.php
+++ b/view/theme/frio/php/standard.php
@@ -11,7 +11,7 @@
  <head>
         <title><?php if(x($page,'title')) echo $page['title'] ?></title>
         <meta name="viewport" content="initial-scale=1.0">
-       <meta request="<?php echo $_REQUEST['pagename'] ?> ">
+       <meta request="<?php echo htmlspecialchars($_REQUEST['pagename']) ?> ">
         <script>var baseurl="<?php echo $a->get_baseurl() ?>";</script>
         <script>var frio="<?php echo "view/theme/frio"; ?>";</script>
         <?php $baseurl = $a->get_baseurl(); ?>
author	Michael Vogel <ike@pirati.ca>
	Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
committer	Michael Vogel <ike@pirati.ca>
	Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
mod/profile.php		patch \| blob \| history
view/theme/frio/php/default.php		patch \| blob \| history
view/theme/frio/php/standard.php		patch \| blob \| history