parse url: Characters like < and > has to be escaped when showing the parsed output.

author Michael Vogel <icarus@dabo.de>

Sun, 16 Feb 2014 16:35:01 +0000 (17:35 +0100)

committer Michael Vogel <icarus@dabo.de>

Sun, 16 Feb 2014 16:35:01 +0000 (17:35 +0100)
author Michael Vogel <icarus@dabo.de>
Sun, 16 Feb 2014 16:35:01 +0000 (17:35 +0100)
committer Michael Vogel <icarus@dabo.de>
Sun, 16 Feb 2014 16:35:01 +0000 (17:35 +0100)
diff --git a/mod/parse_url.php b/mod/parse_url.php

index cf52011f158eb373bfec7741e44b4977bff7cdcc..66ad1e57cec88b05e1dada78a3fb94dcb07eefb3 100644 (file)
--- a/mod/parse_url.php
+++ b/mod/parse_url.php
@@ -327,12 +327,14 @@ function parse_url_content(&$a) {
  
         if($url && $title && $text) {
  
+               $title = str_replace(array("\r","\n"),array('',''),$title);
+
                 if($textmode)
                         $text = '[quote]' . trim($text) . '[/quote]' . $br;
-               else
-                       $text = '<blockquote>' . trim($text) . '</blockquote><br />';
-
-               $title = str_replace(array("\r","\n"),array('',''),$title);
+               else {
+                       $text = '<blockquote>' . htmlspecialchars(trim($text)) . '</blockquote><br />';
+                       $title = htmlspecialchars($title);
+               }
  
                 $result = sprintf($template,$url,($title) ? $title : $url,$text) . $str_tags;
  
@@ -381,7 +383,7 @@ function parse_url_content(&$a) {
                 if($textmode)
                         $text = '[quote]'.trim($text).'[/quote]';
                 else
-                       $text = '<blockquote>'.trim($text).'</blockquote>';
+                       $text = '<blockquote>'.htmlspecialchars(trim($text)).'</blockquote>';
         }
  
         if($image) {
author	Michael Vogel <icarus@dabo.de>
	Sun, 16 Feb 2014 16:35:01 +0000 (17:35 +0100)
committer	Michael Vogel <icarus@dabo.de>
	Sun, 16 Feb 2014 16:35:01 +0000 (17:35 +0100)