From 6f6904db3fa4921abc92b936dbc50bfdea0cb225 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Sun, 19 Feb 2012 04:10:12 +0100 Subject: Fix some more XSS vulnerabilities Escape strings properly using htmlspecialchars(). Seems like we missed these in former cleanups. Fixes FS#28515. Signed-off-by: Lukas Fleischer --- web/template/header.php | 2 +- web/template/pkg_details.php | 2 +- web/template/stats/updates_table.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/web/template/header.php b/web/template/header.php index 8313bb36..578fcb9a 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -4,7 +4,7 @@ "> - AUR (<?php print $LANG; ?>)<?php if ($title != "") { print " - " . $title; } ?> + AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?> diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index 880a6758..046f836b 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -69,7 +69,7 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[


- ' . $row['URL'] ?>
+ ' . htmlspecialchars($row['URL']) ?>

diff --git a/web/template/stats/updates_table.php b/web/template/stats/updates_table.php index a8cdf5aa..8da67320 100644 --- a/web/template/stats/updates_table.php +++ b/web/template/stats/updates_table.php @@ -11,7 +11,7 @@ "> - + -- cgit v1.2.3-24-g4f1b