Escape $tag passed to Profile::getTaggedSubscribers()

This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.

diff --git a/classes/Profile.php b/classes/Profile.php
index cefcaf90b5b6a31823163bf27cfd50c8dd873ff6..540699eb3afdb692de6f1dfd5e3d5177061a8660 100644 (file)
--- a/classes/Profile.php
+++ b/classes/Profile.php
@@ -682,7 +682,7 @@ class Profile extends Managed_DataObject
         $profile = new Profile();
         $tagged = array();
 
-        $cnt = $profile->query(sprintf($qry, $this->id, $this->id, $tag));
+        $cnt = $profile->query(sprintf($qry, $this->id, $this->id, $profile->escape($tag)));
 
         while ($profile->fetch()) {
             $tagged[] = clone($profile);