Fix for a cross site scripting bug

jeroenrnl · Jul 2, 2009 · 63aed78 · 63aed78
1 parent 6a20d65
commit 63aed78
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/php/people.php b/php/people.php
@@ -118,7 +118,7 @@
     }
     else {
 ?>
-          <div class="error"><?php echo sprintf(translate("No people were found with a last name beginning with '%s'."), $_l) ?></div>
+          <div class="error"><?php echo sprintf(translate("No people were found with a last name beginning with '%s'."), htmlentities($_l)) ?></div>
 <?php
     }
 ?>

diff --git a/php/util.inc.php b/php/util.inc.php
@@ -354,7 +354,7 @@ function create_form($vars, $ignore = array()) {
     $form = "";
     while (list($key, $val) = each($vars)) {
         if (in_array($key, $ignore)) { continue; }
-        $form .= "<input type=\"hidden\" name=\"$key\" value=\"$val\">\n";
+        $form .= "<input type=\"hidden\" name=\"$key\" value=\"" . escape_string($val) . "\">\n";
     }
 
     return $form;