Santize real name in tooltips

mantisbt · Feb 7, 2018 · 0eb55f9 · 0eb55f9
1 parent a3c0e9e
commit 0eb55f9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/core/prepare_api.php b/core/prepare_api.php
@@ -74,12 +74,12 @@ function prepare_user_name( $p_user_id ) {
 	$t_username = user_get_username( $p_user_id );
 	$t_name = user_get_name( $p_user_id );
 	if( $t_username != $t_name ) {
-		$t_tooltip = ' title="' . $t_name . '"';
+		$t_tooltip = ' title="' . string_attribute( $t_name ) . '"';
 	} else {
 		$t_tooltip = '';
 	}
 
-	$t_name = string_display_line( $t_username );
+	$t_username = string_display_line( $t_username );
 
 	if( user_exists( $p_user_id ) && user_get_field( $p_user_id, 'enabled' ) ) {
 		return '<a class="user"' . $t_tooltip . ' href="' . string_sanitize_url( 'view_user_page.php?id=' . $p_user_id, true ) . '">' . $t_username . '</a>';