summaryrefslogtreecommitdiffstats
path: root/web/lib/aur.inc.php
diff options
context:
space:
mode:
authorLukas Fleischer <lfleischer@archlinux.org>2015-08-31 18:01:13 +0200
committerLukas Fleischer <lfleischer@archlinux.org>2015-08-31 18:04:50 +0200
commit209879d63f25276e38337983fc034da08b58ff3a (patch)
tree165a592c78f5b928c3db958db69bf76b0cb741bf /web/lib/aur.inc.php
parent57db4814a47d2a40d4b74e3ae0df261bbfeb45b8 (diff)
downloadaur-209879d63f25276e38337983fc034da08b58ff3a.tar.gz
aur-209879d63f25276e38337983fc034da08b58ff3a.tar.xz
Fix duplicate escaping of action links
The __() helper function already escapes HTML special characters. Do not escape them again in html_action_*(). Fixes FS#45780. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/lib/aur.inc.php')
-rw-r--r--web/lib/aur.inc.php14
1 files changed, 7 insertions, 7 deletions
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 99975356..7d659132 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -225,18 +225,18 @@ function html_format_maintainers($maintainer, $comaintainers) {
* Format a link in the package actions box
*
* @param string $uri The link target
- * @param string $desc The link label
+ * @param string $inner The HTML code to use for the link label
*
* @return string The generated HTML code for the action link
*/
-function html_action_link($uri, $desc) {
+function html_action_link($uri, $inner) {
if (isset($_COOKIE["AURSID"])) {
$code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">';
} else {
$code = '<a href="' . get_uri('/login/', true) . '?referer=';
$code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">';
}
- $code .= htmlspecialchars($desc) . '</a>';
+ $code .= $inner . '</a>';
return $code;
}
@@ -246,11 +246,11 @@ function html_action_link($uri, $desc) {
*
* @param string $uri The link target
* @param string $action The action name (passed as HTTP POST parameter)
- * @param string $desc The link label
+ * @param string $inner The HTML code to use for the link label
*
* @return string The generated HTML code for the action link
*/
-function html_action_form($uri, $action, $desc) {
+function html_action_form($uri, $action, $inner) {
if (isset($_COOKIE["AURSID"])) {
$code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . '" ';
$code .= 'method="post">';
@@ -258,11 +258,11 @@ function html_action_form($uri, $action, $desc) {
$code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" />';
$code .= '<input type="submit" class="button text-button" name="';
$code .= htmlspecialchars($action, ENT_QUOTES) . '" ';
- $code .= 'value="' . htmlspecialchars($desc, ENT_QUOTES) . '" />';
+ $code .= 'value="' . $inner . '" />';
$code .= '</form>';
} else {
$code = '<a href="' . get_uri('/login/', true) . '">';
- $code .= htmlspecialchars($desc) . '</a>';
+ $code .= $inner . '</a>';
}
return $code;