fix(msg_dialog) Escape HTML in error dialogs

We’ll need to check there is no error message which actually needs HTML. issue #5907

fix(msg_dialog) Escape HTML in error dialogs
We’ll need to check there is no error message which actually needs HTML. issue #5907
5ba0f704 · Côme Chilliet · 60cdb7c6 · 5ba0f704 · 5ba0f704
Commit 5ba0f704 authored 6 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 4 additions and 4 deletions
+4 -4
--- a/ihtml/themes/breezy/msg_dialog.tpl
+++ b/ihtml/themes/breezy/msg_dialog.tpl
@@ -41,12 +41,12 @@
      {elseif $i_Type == $smarty.const.INFO_DIALOG || $i_Type == $smarty.const.CONFIRM_DIALOG}
        <img src="geticon.php?context=status&amp;icon=dialog-information&amp;size=32" class="center" alt="{t}Information{/t}"/>
      {/if}
-        {$s_Title}
+        {$s_Title|escape}
      </h2>
    </div>
    <div style="z-index:250;width:100%;">
-      {$s_Message}
+      {$s_Message|escape}
    </div>
    <div class="plugbottom">
      {if $s_Trace != "" && $i_TraceCnt != 0}

--- a/include/class_msg_dialog.inc
+++ b/include/class_msg_dialog.inc
@@ -172,8 +172,8 @@ class msg_dialog
              <img src="geticon.php?context=status&amp;icon=dialog-error&amp;size=32" alt="'._('Error').'"/>
            </td>
            <td style="width:100%">
-              <b>'.$this->s_Title.'</b><br/>
+              <b>'.htmlentities($this->s_Title, ENT_COMPAT, 'UTF-8').'</b><br/>
-              '.$this->s_Message.'<br><br/>
+              '.htmlentities($this->s_Message, ENT_COMPAT, 'UTF-8').'<br><br/>
              '._('Please fix the above error and reload the page.').'
            </td>
          </tr>