Replace rawurlencode with the right escaping

bgermann · bgermann · commit 71617c2464b0 · 2019-02-25T19:41:47.000+01:00
diff --git a/lib_render.php b/lib_render.php
@@ -802,9 +802,9 @@ function cforms2($no = '', $customfields = array()) {
     }
 
 
-    $formcontent .= '<input type="hidden" name="cf_working' . $no . '" id="cf_working' . $no . '" value="<span>' . rawurlencode($cformsSettings['form' . $no]['cforms' . $no . '_working']) . '</span>"/>' .
-            '<input type="hidden" name="cf_failure' . $no . '" id="cf_failure' . $no . '" value="<span>' . rawurlencode($cformsSettings['form' . $no]['cforms' . $no . '_failure']) . '</span>"/>' .
-            '<input type="hidden" name="cf_customerr' . $no . '" id="cf_customerr' . $no . '" value="' . rawurlencode($custom_error) . '"/>';
+    $formcontent .= '<input type="hidden" name="cf_working' . $no . '" id="cf_working' . $no . '" value="<span>' . stripslashes(htmlspecialchars($cformsSettings['form' . $no]['cforms' . $no . '_working'])) . '</span>"/>' .
+            '<input type="hidden" name="cf_failure' . $no . '" id="cf_failure' . $no . '" value="<span>' . stripslashes(htmlspecialchars($cformsSettings['form' . $no]['cforms' . $no . '_failure'])) . '</span>"/>' .
+            '<input type="hidden" name="cf_customerr' . $no . '" id="cf_customerr' . $no . '" value="' . htmlspecialchars($custom_error) . '"/>';
 
     $formcontent .= '</fieldset>';
 

Original file line number	Diff line number	Diff line change
`@@ -802,9 +802,9 @@ function cforms2($no = '', $customfields = array()) {`
`802`	`802`	`}`
`803`	`803`
`804`	`804`
`805`		`- $formcontent .= '<input type="hidden" name="cf_working' . $no . '" id="cf_working' . $no . '" value="<span>' . rawurlencode($cformsSettings['form' . $no]['cforms' . $no . '_working']) . '</span>"/>' .`
`806`		`- '<input type="hidden" name="cf_failure' . $no . '" id="cf_failure' . $no . '" value="<span>' . rawurlencode($cformsSettings['form' . $no]['cforms' . $no . '_failure']) . '</span>"/>' .`
`807`		`- '<input type="hidden" name="cf_customerr' . $no . '" id="cf_customerr' . $no . '" value="' . rawurlencode($custom_error) . '"/>';`
	`805`	`+ $formcontent .= '<input type="hidden" name="cf_working' . $no . '" id="cf_working' . $no . '" value="<span>' . stripslashes(htmlspecialchars($cformsSettings['form' . $no]['cforms' . $no . '_working'])) . '</span>"/>' .`
	`806`	`+ '<input type="hidden" name="cf_failure' . $no . '" id="cf_failure' . $no . '" value="<span>' . stripslashes(htmlspecialchars($cformsSettings['form' . $no]['cforms' . $no . '_failure'])) . '</span>"/>' .`
	`807`	`+ '<input type="hidden" name="cf_customerr' . $no . '" id="cf_customerr' . $no . '" value="' . htmlspecialchars($custom_error) . '"/>';`
`808`	`808`
`809`	`809`	`$formcontent .= '</fieldset>';`
`810`	`810`