Escape variables in comments module

Jamie Snape · Jamie Snape · commit 9b7ca659168e · 2014-12-08T09:20:00.000-05:00
diff --git a/modules/comments/controllers/components/CommentComponent.php b/modules/comments/controllers/components/CommentComponent.php
@@ -35,7 +35,7 @@ public function getComments($item, $limit, $offset)
         foreach ($comments as $comment) {
             $commentArray = $comment->toArray();
             $commentArray['user'] = $comment->getUser()->toArray();
-            $commentArray['comment'] = htmlentities($commentArray['comment']);
+            $commentArray['comment'] = htmlspecialchars($commentArray['comment'], ENT_QUOTES, 'UTF-8');
             $commentArray['ago'] = $dateComponent->ago($commentArray['date']);
             $commentsList[] = $commentArray;
         }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public function getComments($item, $limit, $offset)`
`35`	`35`	`foreach ($comments as $comment) {`
`36`	`36`	`$commentArray = $comment->toArray();`
`37`	`37`	`$commentArray['user'] = $comment->getUser()->toArray();`
`38`		`- $commentArray['comment'] = htmlentities($commentArray['comment']);`
	`38`	`+ $commentArray['comment'] = htmlspecialchars($commentArray['comment'], ENT_QUOTES, 'UTF-8');`
`39`	`39`	`$commentArray['ago'] = $dateComponent->ago($commentArray['date']);`
`40`	`40`	`$commentsList[] = $commentArray;`
`41`	`41`	`}`