From: Mikael Nordfeldth Date: Tue, 5 Jan 2016 11:15:50 +0000 (+0100) Subject: XSS vulnerability when remote-subscribing X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=ab93bb009c8533c8847aafe76ba9774d9d74e7ca;p=quix0rs-gnu-social.git XSS vulnerability when remote-subscribing ->raw was used on non-filtered strings for some reasons, changed to ->text. --- diff --git a/plugins/OStatus/actions/ostatussub.php b/plugins/OStatus/actions/ostatussub.php index b0c088e55d..75c75c54c6 100644 --- a/plugins/OStatus/actions/ostatussub.php +++ b/plugins/OStatus/actions/ostatussub.php @@ -193,31 +193,31 @@ class OStatusSubAction extends Action $hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname entity_nickname'; $this->elementStart('a', array('href' => $profile, 'class' => 'url '.$hasFN)); - $this->raw($nickname); + $this->text($nickname); $this->elementEnd('a'); if (!is_null($fullname)) { $this->elementStart('div', 'fn entity_fn'); - $this->raw($fullname); + $this->text($fullname); $this->elementEnd('div'); } if (!is_null($location)) { $this->elementStart('div', 'label entity_location'); - $this->raw($location); + $this->text($location); $this->elementEnd('div'); } if (!is_null($homepage)) { $this->elementStart('a', array('href' => $homepage, 'class' => 'url entity_url')); - $this->raw($homepage); + $this->text($homepage); $this->elementEnd('a'); } if (!is_null($note)) { $this->elementStart('div', 'note entity_note'); - $this->raw($note); + $this->text($note); $this->elementEnd('div'); } $this->elementEnd('div');