plugins/wrms/update.php: escape api data, before pushing to clients

srynot4sale · Oct 3, 2014 · efda079 · efda079
1 parent 091e8b1
commit efda079
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/plugins/wrms/update.php b/plugins/wrms/update.php
@@ -85,6 +85,12 @@
             if (!isset($lastwrs[$seen]) || $row != $lastwrs[$seen]) {
                 // Update $lastwrs and trigger sending of new version
                 $send = true;
+                foreach ($row as $key => $val) {
+                    if (is_string($val)) {
+                        // escape any nasties
+                        $row->{$key} = htmlspecialchars($val, ENT_QUOTES | ENT_SUBSTITUTE);
+                    }
+                }
                 $lastwrs[$seen] = $row;
             }