Escape page title for users who can't edit

They have a separate unlinked display of the page titles that wasn't being escaped. Escape the slugs at the same time, even though they should already be guaranteed to never contain "interesting" characters.
omeka · Aug 14, 2023 · 43dda13 · 43dda13
1 parent 48c2bd4
commit 43dda13
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/application/view/omeka/site-admin/page/index.phtml b/application/view/omeka/site-admin/page/index.phtml
@@ -36,7 +36,7 @@ $this->htmlElement('body')->appendAttribute('class', 'sites pages browse');
             <?php if ($page->userIsAllowed('update')): ?>
             <?php echo $page->link($page->title(), 'edit'); ?>
             <?php else: ?>
-            <?php echo $page->title(); ?>
+            <?php echo $escape($page->title()); ?>
             <?php endif; ?>
             <?php if (!$page->isPublic()): ?>
                 <span class="o-icon-private" aria-label="<?php echo $translate('Private'); ?>"></span>
@@ -65,7 +65,7 @@ $this->htmlElement('body')->appendAttribute('class', 'sites pages browse');
                 <?php endif; ?>
             </ul>
         </td>
-        <td><?php echo $page->slug(); ?></td>
+        <td><?php echo $escape($page->slug()); ?></td>
         <td><?php echo $escape($i18n->dateFormat($sortBy === 'created' ? $page->created() : $page->modified())); ?></td>
     </tr>
 <?php endforeach; ?>