Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Commit

Permalink
Fixing Bug #8184
Browse files Browse the repository at this point in the history 
    - Prevent XSS by executing htmlspecialchars during formMerge in all form fields
  • Loading branch information
@Jako
Jako committed Oct 17, 2013
1 parent e3d7af4 commit 29a366e
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions assets/snippets/eform/eform.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -677,8 +677,8 @@ function formMerge($docText, $docFields, $vClasses='') {
if(($datatype=="checkbox"||$datatype=="radio") && $listValue==$docFields[$listName]) $docText = str_replace("[+$listName:$listValue+]","checked='checked'",$docText);
}
}
// prevent XSS for fields with no html type
if (isset($fld) && $formats[$listName][2] != 'html') {
// prevent XSS for formfields
if (isset($fld)) {
$value = htmlspecialchars($value, ENT_QUOTES, $modx->config['modx_charset']);
}
if(strpos($name,":")===false) $docText = str_replace("[+$name+]",$value,$docText);
Expand Down

0 comments on commit 29a366e

Please sign in to comment.