Fix #11239: XSS on view_user_page.php with user Real Name field

User real names aren't sanitised before display on view_user_page.php thus this leads to an XSS vulnerability.
mantisbt · Dec 1, 2009 · 15b0752 · 15b0752
1 parent 93f36d2
commit 15b0752
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/view_user_page.php b/view_user_page.php
@@ -64,7 +64,7 @@
 			<?php echo lang_get( 'username' ) ?>
 		</td>
 		<td width="75%">
-			<?php echo $u_username ?>
+			<?php echo string_display_line( $u_username ) ?>
 		</td>
 	</tr>
 
@@ -98,7 +98,7 @@
 				if ( ! ( $t_can_manage || $t_can_see_realname ) ) {
 					print error_string(ERROR_ACCESS_DENIED);
 				} else {
-					echo $u_realname;
+					echo string_display_line( $u_realname );
 				}
 			?>
 		</td>