diff options
| author | Lukas Fleischer <lfleischer@archlinux.org> | 2015-08-31 18:01:13 +0200 |
|---|---|---|
| committer | Lukas Fleischer <lfleischer@archlinux.org> | 2015-08-31 18:04:50 +0200 |
| commit | 209879d63f25276e38337983fc034da08b58ff3a (patch) | |
| tree | 165a592c78f5b928c3db958db69bf76b0cb741bf | |
| parent | 57db4814a47d2a40d4b74e3ae0df261bbfeb45b8 (diff) | |
| download | aur-209879d63f25276e38337983fc034da08b58ff3a.tar.gz aur-209879d63f25276e38337983fc034da08b58ff3a.tar.xz | |
Fix duplicate escaping of action links
The __() helper function already escapes HTML special characters. Do not
escape them again in html_action_*().
Fixes FS#45780.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
| -rw-r--r-- | web/lib/aur.inc.php | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 99975356..7d659132 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -225,18 +225,18 @@ function html_format_maintainers($maintainer, $comaintainers) { * Format a link in the package actions box * * @param string $uri The link target - * @param string $desc The link label + * @param string $inner The HTML code to use for the link label * * @return string The generated HTML code for the action link */ -function html_action_link($uri, $desc) { +function html_action_link($uri, $inner) { if (isset($_COOKIE["AURSID"])) { $code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">'; } else { $code = '<a href="' . get_uri('/login/', true) . '?referer='; $code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">'; } - $code .= htmlspecialchars($desc) . '</a>'; + $code .= $inner . '</a>'; return $code; } @@ -246,11 +246,11 @@ function html_action_link($uri, $desc) { * * @param string $uri The link target * @param string $action The action name (passed as HTTP POST parameter) - * @param string $desc The link label + * @param string $inner The HTML code to use for the link label * * @return string The generated HTML code for the action link */ -function html_action_form($uri, $action, $desc) { +function html_action_form($uri, $action, $inner) { if (isset($_COOKIE["AURSID"])) { $code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . '" '; $code .= 'method="post">'; @@ -258,11 +258,11 @@ function html_action_form($uri, $action, $desc) { $code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" />'; $code .= '<input type="submit" class="button text-button" name="'; $code .= htmlspecialchars($action, ENT_QUOTES) . '" '; - $code .= 'value="' . htmlspecialchars($desc, ENT_QUOTES) . '" />'; + $code .= 'value="' . $inner . '" />'; $code .= '</form>'; } else { $code = '<a href="' . get_uri('/login/', true) . '">'; - $code .= htmlspecialchars($desc) . '</a>'; + $code .= $inner . '</a>'; } return $code; |