Skip to content

Commit 11d74fa

Browse files
committed
Escape form value.
Even though this is a numeric field, this isn't enforced until the form is submitted.
1 parent 8ecffa1 commit 11d74fa

File tree

1 file changed

+1
-1
lines changed
  • framework/Core/lib/Horde/Core/Ui/VarRenderer

1 file changed

+1
-1
lines changed

Diff for: framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ protected function _renderVarInput_number($form, &$var, &$vars)
4848
return sprintf('<input type="text" size="5" name="%s" id="%s" value="%s"%s />',
4949
htmlspecialchars($var->getVarName()),
5050
$this->_genID($var->getVarName(), false),
51-
$value,
51+
htmlspecialchars($value),
5252
$this->_getActionScripts($form, $var)
5353
);
5454
}

0 commit comments

Comments
 (0)