Ignore:
Timestamp:
Jan 17, 2016, 10:07:13 PM (8 years ago)
Author:
chronos
Message:
  • Fixed: Use htmlspecialchars function for user inserted content to avoid breaking page HTML structure. Added for forum, teams, dictionary and profile text.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Modules/User/UserList.php

    r843 r851  
    2020    {
    2121      $TeamId = $_GET['team'] * 1;
    22       $DbResult = $this->Database->select('Team', 'Name', 'Id='.$TeamId);
     22      $DbResult = $this->Database->select('Team', 'Name', '`Id`='.$TeamId);
    2323      if($DbResult->num_rows > 0)
    2424      {
    2525        $Team = $DbResult->fetch_assoc();
    26         $Output .= '<h3>'.sprintf(T('Users in team %s'), $Team['Name']).'</h3>';
     26        $Output .= '<h3>'.sprintf(T('Users in team %s'), htmlspecialchars($Team['Name'])).'</h3>';
    2727        $TeamFilter = ' AND (`Team`='.$_GET['team'].')';
    2828      } else {
Note: See TracChangeset for help on using the changeset viewer.