]> git.mxchange.org Git - friendica.git/commitdiff
Special characters should be escaped
authorMichael Vogel <ike@pirati.ca>
Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
committerMichael Vogel <ike@pirati.ca>
Fri, 23 Sep 2016 06:29:02 +0000 (06:29 +0000)
mod/profile.php
view/theme/frio/php/default.php
view/theme/frio/php/standard.php

index 681b1dbd1cdd45974b9ee00b16ccf83dbcb9c544..a8a6ad3885d679a4bb40535c5df5191813655dd2 100644 (file)
@@ -10,7 +10,7 @@ function profile_init(&$a) {
                $a->page['aside'] = '';
 
        if($a->argc > 1)
-               $which = $a->argv[1];
+               $which = htmlspecialchars($a->argv[1]);
        else {
                $r = q("select nickname from user where blocked = 0 and account_expired = 0 and account_removed = 0 and verified = 1 order by rand() limit 1");
                if(count($r)) {
@@ -27,7 +27,7 @@ function profile_init(&$a) {
        $profile = 0;
        if((local_user()) && ($a->argc > 2) && ($a->argv[2] === 'view')) {
                $which = $a->user['nickname'];
-               $profile = $a->argv[1];
+               $profile = htmlspecialchars($a->argv[1]);
        }
        else {
                auto_redir($a, $which);
index db3a92a62634299a47345694d5a5eb666f7a47c0..bfc11a35806abd10a08efef110f17b74777c6413 100644 (file)
@@ -17,7 +17,7 @@
 <html>
 <head>
        <title><?php if(x($page,'title')) echo $page['title'] ?></title>
-       <meta request="<?php echo $_REQUEST['pagename'] ?> ">
+       <meta request="<?php echo htmlspecialchars($_REQUEST['pagename']) ?> ">
        <script>var baseurl="<?php echo $a->get_baseurl() ?>";</script>
        <script>var frio="<?php echo "view/theme/frio"; ?>";</script>
        <?php $baseurl = $a->get_baseurl(); ?>
index 5535b9ed71340a9b5a628dfb2bbb56cde2af5dac..4a92a6aecfa63efbe8ca0c755453367e5cc9c44a 100644 (file)
@@ -11,7 +11,7 @@
 <head>
        <title><?php if(x($page,'title')) echo $page['title'] ?></title>
        <meta name="viewport" content="initial-scale=1.0">
-       <meta request="<?php echo $_REQUEST['pagename'] ?> ">
+       <meta request="<?php echo htmlspecialchars($_REQUEST['pagename']) ?> ">
        <script>var baseurl="<?php echo $a->get_baseurl() ?>";</script>
        <script>var frio="<?php echo "view/theme/frio"; ?>";</script>
        <?php $baseurl = $a->get_baseurl(); ?>