diff options
author | Aaron Parecki <aaron@parecki.com> | 2016-05-06 07:59:16 +0200 |
---|---|---|
committer | Aaron Parecki <aaron@parecki.com> | 2016-05-06 07:59:16 +0200 |
commit | c1101c687da661e4489cde2a663a93f094cf2546 (patch) | |
tree | 5a3d4687ba261c67a5483955f88818a4f9500065 /views | |
parent | 1743621c4896b65cd9bd81a07341b48a7619bcf8 (diff) |
escape html in syndication targets
Diffstat (limited to 'views')
-rw-r--r-- | views/new-post.php | 6 | ||||
-rw-r--r-- | views/partials/syndication-js.php | 2 |
2 files changed, 4 insertions, 4 deletions
diff --git a/views/new-post.php b/views/new-post.php index 7c4d3cf..da3927d 100644 --- a/views/new-post.php +++ b/views/new-post.php @@ -44,9 +44,9 @@ echo '<ul>'; foreach($this->syndication_targets as $syn) { echo '<li>' - . '<button data-syndicate-to="'.(isset($syn['uid']) ? $syn['uid'] : $syn['target']).'" class="btn btn-default btn-block">' - . ($syn['favicon'] ? '<img src="'.$syn['favicon'].'" width="16" height="16"> ' : '') - . $syn['target'] + . '<button data-syndicate-to="'.(isset($syn['uid']) ? htmlspecialchars($syn['uid']) : htmlspecialchars($syn['target'])).'" class="btn btn-default btn-block">' + . ($syn['favicon'] ? '<img src="'.htmlspecialchars($syn['favicon']).'" width="16" height="16"> ' : '') + . htmlspecialchars($syn['target']) . '</button>' . '</li>'; } diff --git a/views/partials/syndication-js.php b/views/partials/syndication-js.php index 088cb43..6267327 100644 --- a/views/partials/syndication-js.php +++ b/views/partials/syndication-js.php @@ -7,7 +7,7 @@ function reload_syndications() { var target = data.targets[i].target; var uid = data.targets[i].uid; var favicon = data.targets[i].favicon; - $("#syndication-container ul").append('<li><button data-syndicate-to="'+(uid ? uid : target)+'" class="btn btn-default btn-block">'+(favicon ? '<img src="'+favicon+'" width="16" height="16"> ':'')+target+'</button></li>'); + $("#syndication-container ul").append('<li><button data-syndicate-to="'+htmlspecialchars(uid ? uid : target)+'" class="btn btn-default btn-block">'+(favicon ? '<img src="'+htmlspecialchars(favicon)+'" width="16" height="16"> ':'')+htmlspecialchars(target)+'</button></li>'); } bind_syndication_buttons(); } else { |