Properly strip html from signature preview - thanks Jorin for reporting

Signed-off-by: emanuele <emanuele45@gmail.com>
elkarte · Aug 11, 2015 · 372594b · 372594b
1 parent 5302e66
commit 372594b
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/sources/controllers/Xmlpreview.controller.php b/sources/controllers/Xmlpreview.controller.php
@@ -141,13 +141,14 @@ public function action_sig_preview()
 			$member['signature'] = parse_bbc($member['signature'], true, 'sig' . $user);
 
 			// And now what they want it to be
-			$preview_signature = !empty($_POST['signature']) ? $_POST['signature'] : '';
+			$preview_signature = !empty($_POST['signature']) ? Util::htmlspecialchars($_POST['signature']) : '';
 			$validation = profileValidateSignature($preview_signature);
 
 			// An odd check for errors to be sure
 			if ($validation !== true && $validation !== false)
 				$errors[] = array('value' => $txt['profile_error_' . $validation], 'attributes' => array('type' => 'error'));
 
+			preparsecode($preview_signature);
 			censorText($preview_signature);
 			$preview_signature = parse_bbc($preview_signature, true, 'sig' . $user);
 		}