GNOME.org
 

[opw-web] Fix some cases where program titles were used without escaping

commit 964278e375727a44755b8169f1e8b0ed7fc20cbe
Author: Owen W. Taylor <otaylor fishsoup net>
Date:   Tue Mar 11 18:42:29 2014 -0400

    Fix some cases where program titles were used without escaping
    
    Auditing all template parameters for escaping only turned up a few places
    where program titles were not escaped - since program titles are edited
    only by admins, it's not a big deal, but fix in case anybody wants to use
    quotes, etc. in their program names.

 modules/mod_notifications.php |    2 +-
 modules/mod_program_home.php  |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/modules/mod_notifications.php b/modules/mod_notifications.php
index 884385b..aad291d 100644
--- a/modules/mod_notifications.php
+++ b/modules/mod_notifications.php
@@ -235,7 +235,7 @@ foreach ($queue_data as $queue)
 {
     $skin->assign(array(
         'program_id'                 => $queue['program_id'],
-        'program_title'              => $queue['program_title'],
+        'program_title'              => htmlspecialchars($queue['program_title']),
         'program_deadline_sent'      => $skin->visibility($queue['deadline_flag'] == 1),
         'program_deadline_pending'   => $skin->visibility($queue['deadline_flag'] == 0),
         'program_complete_sent'      => $skin->visibility($queue['complete_flag'] == 1),
diff --git a/modules/mod_program_home.php b/modules/mod_program_home.php
index 8af0c4f..8f0d93d 100644
--- a/modules/mod_program_home.php
+++ b/modules/mod_program_home.php
@@ -40,7 +40,7 @@ if ($program_data != null)
     // Assign screen data for the program
     $skin->assign(array(
         'program_id'               => $program_data['id'],
-        'program_title'            => $program_data['title'],
+        'program_title'            => htmlspecialchars($program_data['title']),
         'program_description'      => nl2br($program_data['description']),
         'program_start_date'       => date('M d, Y', $program_data['start_time']),
         'program_end_date'         => date('M d, Y', $program_data['end_time']),
@@ -61,7 +61,7 @@ if ($program_data != null)
     ));
 
     // Output the module
-    $module_title = $program_data['title'];
+    $module_title = htmlspecialchars($program_data['title']);
     $module_data = $skin->output('tpl_program_home');
 }
 else
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]