From ab93bb009c8533c8847aafe76ba9774d9d74e7ca Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Tue, 5 Jan 2016 12:15:50 +0100 Subject: [PATCH] XSS vulnerability when remote-subscribing ->raw was used on non-filtered strings for some reasons, changed to ->text. --- plugins/OStatus/actions/ostatussub.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/plugins/OStatus/actions/ostatussub.php b/plugins/OStatus/actions/ostatussub.php index b0c088e55d..75c75c54c6 100644 --- a/plugins/OStatus/actions/ostatussub.php +++ b/plugins/OStatus/actions/ostatussub.php @@ -193,31 +193,31 @@ class OStatusSubAction extends Action $hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname entity_nickname'; $this->elementStart('a', array('href' => $profile, 'class' => 'url '.$hasFN)); - $this->raw($nickname); + $this->text($nickname); $this->elementEnd('a'); if (!is_null($fullname)) { $this->elementStart('div', 'fn entity_fn'); - $this->raw($fullname); + $this->text($fullname); $this->elementEnd('div'); } if (!is_null($location)) { $this->elementStart('div', 'label entity_location'); - $this->raw($location); + $this->text($location); $this->elementEnd('div'); } if (!is_null($homepage)) { $this->elementStart('a', array('href' => $homepage, 'class' => 'url entity_url')); - $this->raw($homepage); + $this->text($homepage); $this->elementEnd('a'); } if (!is_null($note)) { $this->elementStart('div', 'note entity_note'); - $this->raw($note); + $this->text($note); $this->elementEnd('div'); } $this->elementEnd('div'); -- 2.39.5