Added HTML escaping in places were it was missing

eb492de3 · Côme Chilliet · Mortier Benoit · afbb9474 · eb492de3 · eb492de3
Commit eb492de3 authored 8 years ago by Côme Chilliet Committed by Mortier Benoit 8 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 3 additions and 3 deletions
+3 -3
--- a/include/class_filter.inc
+++ b/include/class_filter.inc
@@ -610,7 +610,7 @@ class filter

        echo '<ul>';
        foreach ($result as $entry) {
-          echo '<li>'.mark($_POST[$tag], $entry).'</li>';
+          echo '<li>'.mark(htmlentities($_POST[$tag], ENT_COMPAT, 'UTF-8'), htmlentities($entry, ENT_COMPAT, 'UTF-8')).'</li>';
          if ($max-- == 0) {
            break;
          }

--- a/include/simpleplugin/class_simpleSelectManagement.inc
+++ b/include/simpleplugin/class_simpleSelectManagement.inc
@@ -74,8 +74,8 @@ class simpleSelectManagement extends simpleManagement
    $dn     = func_get_arg(2);
    $trans  = func_get_arg(3);
    $trans  = $trans[0];
-    if ($trans != "") {
-      return "<a href='?plug=".$_GET['plug']."&amp;PID=$pid&amp;act=listing_select_$row&amp;add_finish=1' title='$dn'>$trans</a>";
+    if ($trans != '') {
+      return '<a href="?plug='.$_GET['plug'].'&amp;PID='.$pid.'&amp;act=listing_select_'.$row.'&amp;add_finish=1" title="'.htmlentities($dn, ENT_COMPAT, 'UTF-8').'">'.htmlentities($trans, ENT_COMPAT, 'UTF-8').'</a>';
    }

    return '';