From: Philipp Date: Wed, 11 Jan 2023 22:09:40 +0000 (+0100) Subject: Security: Use htmlspecialchars() for user input in Arguments class X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=a31d5ae7b163a076275b6f3c82bfd07608ad214a;p=friendica.git Security: Use htmlspecialchars() for user input in Arguments class --- diff --git a/src/App/Page.php b/src/App/Page.php index 37141426c3..6317214b4f 100644 --- a/src/App/Page.php +++ b/src/App/Page.php @@ -73,6 +73,8 @@ class Page implements ArrayAccess 'right_aside' => '', 'template' => '', 'title' => '', + 'section' => '', + 'module' => '', ]; /** * @var string The basepath of the page @@ -509,6 +511,11 @@ class Page implements ArrayAccess $page = $this->page; + // add and escape some common but crucial content for direct "echo" in HTML (security) + $page['title'] = htmlspecialchars($page['title'] ?? ''); + $page['section'] = htmlspecialchars($args->get(0) ?? 'generic'); + $page['module'] = htmlspecialchars($args->getModuleName() ?? ''); + header("X-Friendica-Version: " . App::VERSION); header("Content-type: text/html; charset=utf-8"); diff --git a/view/theme/frio/php/default.php b/view/theme/frio/php/default.php index d0580373e0..0c6dd3934f 100644 --- a/view/theme/frio/php/default.php +++ b/view/theme/frio/php/default.php @@ -77,7 +77,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser"; ?> - "> + "> t('Skip to main content'); ?>
'; if (!empty($page['content'])) { echo $page['content'];