From 6f6904db3fa4921abc92b936dbc50bfdea0cb225 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Sun, 19 Feb 2012 04:10:12 +0100 Subject: Fix some more XSS vulnerabilities Escape strings properly using htmlspecialchars(). Seems like we missed these in former cleanups. Fixes FS#28515. Signed-off-by: Lukas Fleischer --- web/template/header.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web/template/header.php') diff --git a/web/template/header.php b/web/template/header.php index 8313bb36..578fcb9a 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -4,7 +4,7 @@ "> - AUR (<?php print $LANG; ?>)<?php if ($title != "") { print " - " . $title; } ?> + AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?> -- cgit v1.2.3-24-g4f1b From 19789c3f759f4162a2eaa4ccc0b6fe0df51957ca Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Sun, 19 Feb 2012 04:49:54 +0100 Subject: Escape all output strings in the header and footer Escape each output string using htmlspecialchars(). These aren't exploitable; it's still better to escape them properly. Signed-off-by: Lukas Fleischer --- web/template/header.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'web/template/header.php') diff --git a/web/template/header.php b/web/template/header.php index 578fcb9a..8749dae6 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -2,7 +2,7 @@ "> + xml:lang="" lang=""> AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?> @@ -52,8 +52,8 @@ reset($SUPPORTED_LANGS); foreach ($SUPPORTED_LANGS as $lang => $lang_name) { print '" - . strtolower($lang) . "\n"; + ."?setlang=" . htmlspecialchars($lang, ENT_QUOTES) . "\" title=\"" . htmlspecialchars($lang_name, ENT_QUOTES) . "\">" + . htmlspecialchars(strtolower($lang)) . "\n"; } ?> -- cgit v1.2.3-24-g4f1b