Skip to content

Commit 810ee26

Browse files
committed
fix: added missing conversion to HTML entities
1 parent 53099a9 commit 810ee26

File tree

4 files changed

+6
-4
lines changed

4 files changed

+6
-4
lines changed

Diff for: phpmyfaq/admin/ajax.user.php

+2-1
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
use phpMyFAQ\Helper\HttpHelper;
2323
use phpMyFAQ\Helper\MailHelper;
2424
use phpMyFAQ\Permission;
25+
use phpMyFAQ\Strings;
2526
use phpMyFAQ\User;
2627

2728
if (!defined('IS_VALID_PHPMYFAQ')) {
@@ -63,7 +64,7 @@
6364
$userdata = [];
6465
$userdata = $user->userdata->get('*');
6566
$userdata['status'] = $user->getStatus();
66-
$userdata['login'] = $user->getLogin();
67+
$userdata['login'] = Strings::htmlentities($user->getLogin());
6768
$userdata['is_superadmin'] = $user->isSuperAdmin();
6869
$http->sendJsonWithHeaders($userdata);
6970
break;

Diff for: phpmyfaq/ajaxservice.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -758,7 +758,7 @@
758758
}
759759

760760
$userId = Filter::filterInput(INPUT_POST, 'userid', FILTER_VALIDATE_INT);
761-
$userName = Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW);
761+
$userName = Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS);
762762
$email = Filter::filterInput(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
763763
$isVisible = Filter::filterInput(INPUT_POST, 'is_visible', FILTER_UNSAFE_RAW);
764764
$password = Filter::filterInput(INPUT_POST, 'password', FILTER_UNSAFE_RAW);

Diff for: phpmyfaq/index.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -565,7 +565,7 @@
565565
$PMF_LANG['msgRegistration'] . '</a>' : '',
566566
'sendPassword' => '<a href="?action=password">' . $PMF_LANG['lostPassword'] . '</a>',
567567
'msgFullName' => $PMF_LANG['ad_user_loggedin'] . $user->getLogin(),
568-
'msgLoginName' => $user->getUserData('display_name'),
568+
'msgLoginName' => Strings::htmlentities($user->getUserData('display_name')),
569569
'loginHeader' => $PMF_LANG['msgLoginUser'],
570570
'loginMessage' => $loginMessage,
571571
'writeLoginPath' => Strings::htmlentities($faqSystem->getSystemUri($faqConfig)) . '?' . Filter::getFilteredQueryString(),

Diff for: phpmyfaq/ucp.php

+2-1
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
*/
1717

1818
use phpMyFAQ\Services\Gravatar;
19+
use phpMyFAQ\Strings;
1920

2021
if (!defined('IS_VALID_PHPMYFAQ')) {
2122
http_response_code(400);
@@ -51,7 +52,7 @@
5152
'csrf' => $user->getCsrfTokenFromSession(),
5253
'readonly' => $faqConfig->isLdapActive() ? 'readonly' : '',
5354
'msgRealName' => $PMF_LANG['ad_user_name'],
54-
'realname' => $user->getUserData('display_name'),
55+
'realname' => Strings::htmlentities($user->getUserData('display_name')),
5556
'msgEmail' => $PMF_LANG['msgNewContentMail'],
5657
'email' => $user->getUserData('email'),
5758
'msgIsVisible' => $PMF_LANG['ad_user_data_is_visible'],

0 commit comments

Comments
 (0)