XSS vulnerability when remote-subscribing

->raw was used on non-filtered strings for some reasons, changed
to ->text.

diff --git a/plugins/OStatus/actions/ostatussub.php b/plugins/OStatus/actions/ostatussub.php
index b0c088e55d50872fb10a516a2e6a6229c0a2e574..75c75c54c6e64667e51965d845f328edaf458311 100644 (file)
--- a/plugins/OStatus/actions/ostatussub.php
+++ b/plugins/OStatus/actions/ostatussub.php
@@ -193,31 +193,31 @@ class OStatusSubAction extends Action
         $hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname entity_nickname';
         $this->elementStart('a', array('href' => $profile,
                                        'class' => 'url '.$hasFN));
-        $this->raw($nickname);
+        $this->text($nickname);
         $this->elementEnd('a');
 
         if (!is_null($fullname)) {
             $this->elementStart('div', 'fn entity_fn');
-            $this->raw($fullname);
+            $this->text($fullname);
             $this->elementEnd('div');
         }
 
         if (!is_null($location)) {
             $this->elementStart('div', 'label entity_location');
-            $this->raw($location);
+            $this->text($location);
             $this->elementEnd('div');
         }
 
         if (!is_null($homepage)) {
             $this->elementStart('a', array('href' => $homepage,
                                            'class' => 'url entity_url'));
-            $this->raw($homepage);
+            $this->text($homepage);
             $this->elementEnd('a');
         }
 
         if (!is_null($note)) {
             $this->elementStart('div', 'note entity_note');
-            $this->raw($note);
+            $this->text($note);
             $this->elementEnd('div');
         }
         $this->elementEnd('div');