Fix dumb exploit that allowed arbitrary HTML in profile blocks (whoops)

RedEnchilada · RedEnchilada · commit 62f42bc631ea · 2015-02-18T22:21:37.000-06:00
diff --git a/lib/profileblock.php b/lib/profileblock.php
@@ -106,7 +106,7 @@ function showDescription()
             $this->out->elementStart(
                 'p',
                 'profile_block_description');
-            $this->out->raw(preg_replace('/\r?\n/', '<br />', $description));
+            $this->out->raw(preg_replace('/\r?\n/', '<br />', htmlspecialchars($description)));
             $this->out->elementEnd('p');
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ function showDescription()`
`106`	`106`	`$this->out->elementStart(`
`107`	`107`	`'p',`
`108`	`108`	`'profile_block_description');`
`109`		`- $this->out->raw(preg_replace('/\r?\n/', '<br />', $description));`
	`109`	`+ $this->out->raw(preg_replace('/\r?\n/', '<br />', htmlspecialchars($description)));`
`110`	`110`	`$this->out->elementEnd('p');`
`111`	`111`	`}`
`112`	`112`	`}`