Ignore:
Timestamp:
Jan 17, 2016, 10:07:13 PM (9 years ago)
Author:
chronos
Message:
  • Fixed: Use htmlspecialchars function for user inserted content to avoid breaking page HTML structure. Added for forum, teams, dictionary and profile text.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Modules/User/Options.php

    r848 r851  
    3030      '<tr><td>'.T('Preferred client version').': </td><td>'.ClientVersionSelection($this->System->User->PreferredVersion).'</td></tr>'.
    3131      '<tr><td>'.T('Public profile text').':</td><td>'.
    32       '<textarea name="info" cols="60" rows="10">'.$this->System->User->Info.'</textarea></td></tr>';
     32      '<textarea name="info" cols="60" rows="10">'.htmlspecialchars($this->System->User->Info).'</textarea></td></tr>';
    3333
    3434    $Output .= '<tr><td>';
     
    6464      $Output .= '<option value="'.$LineTeam['Id'].'"';
    6565      if ($LineTeam['Id'] == $this->System->User->Team) $Output .= ' selected="selected"';
    66       $Output .= '>'.$LineTeam['Name'].'</option>';
     66      $Output .= '>'.htmlspecialchars($LineTeam['Name']).'</option>';
    6767    }
    6868    $Output .= '</select> <input type="submit" value="'.T('Enter').'" />
Note: See TracChangeset for help on using the changeset viewer.