Commit 6f6904db authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Fix some more XSS vulnerabilities



Escape strings properly using htmlspecialchars(). Seems like we missed
these in former cleanups. Fixes FS#28515.

Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
parent e53b91fe
......@@ -4,7 +4,7 @@
<html xmlns="http://www.w3.org/1999/xhtml"
xml:lang="<?php print "$LANG\" lang=\"$LANG"; ?>">
<head>
<title>AUR (<?php print $LANG; ?>)<?php if ($title != "") { print " - " . $title; } ?></title>
<title>AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?></title>
<link rel='stylesheet' type='text/css' href='css/fonts.css' />
<link rel='stylesheet' type='text/css' href='css/containers.css' />
<link rel='stylesheet' type='text/css' href='css/arch.css' />
......
......@@ -69,7 +69,7 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[
<p>
<span class='f2'><?php echo htmlspecialchars($row['Name']) . ' ' . htmlspecialchars($row['Version']) ?></span><br />
<span class='f3'><a href="<?php echo htmlspecialchars($row['URL'], ENT_QUOTES) . '">' . $row['URL'] ?></a></span><br />
<span class='f3'><a href="<?php echo htmlspecialchars($row['URL'], ENT_QUOTES) . '">' . htmlspecialchars($row['URL']) ?></a></span><br />
<span class='f3'><?php echo htmlspecialchars($row['Description'], ENT_QUOTES); ?></span>
</p>
......
......@@ -11,7 +11,7 @@
<td class="boxSoft">
<span class="f4"><span class="blue">
<a href="packages.php?ID=<?php print intval($row["ID"]); ?>">
<?php print $row["Name"] . ' ' . $row["Version"]; ?>
<?php print htmlspecialchars($row["Name"]) . ' ' . htmlspecialchars($row["Version"]); ?>
</a></span></span>
</td>
<td class="boxSoft">
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment