fix: added missing conversion to HTML entities

thorsten · Dec 18, 2022 · 53099a9 · 53099a9
1 parent fb88fe5
commit 53099a9
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/phpmyfaq/admin/record.comments.php b/phpmyfaq/admin/record.comments.php
@@ -20,6 +20,7 @@
 use phpMyFAQ\Date;
 use phpMyFAQ\Entity\CommentType;
 use phpMyFAQ\Faq;
+use phpMyFAQ\Strings;
 
 if (!defined('IS_VALID_PHPMYFAQ')) {
     http_response_code(400);
@@ -73,7 +74,7 @@
                 <td>
                 <span style="font-weight: bold;">
                     <a href="mailto:<?= $faqComment->getEmail() ?>">
-                        <?= $faqComment->getUsername() ?>
+                        <?= Strings::htmlentities($faqComment->getUsername()) ?>
                     </a> |
                     <?= $date->format(date('Y-m-d H:i', $faqComment->getDate())) ?> |
                     <a href="<?php printf(
@@ -84,8 +85,8 @@
                              ) ?>">
                         <?= $faq->getRecordTitle($faqComment->getRecordId()) ?>
                     </a>
-                </span><br/>
-                    <?= $faqComment->getComment() ?>
+                </span><br>
+                    <?= Strings::htmlentities($faqComment->getComment()) ?>
                 </td>
               </tr>
                 <?php