From 738715af43c314d10f5790c67f390a4d0821fd68 Mon Sep 17 00:00:00 2001
From: Starbeamrainbowlabs <sbrl@starbeamrainbowlabs.com>
Date: Thu, 2 Sep 2021 23:04:26 +0100
Subject: [PATCH] core | render_pagename, render_username: fix potential
 authenticated XSS attack

---
 core/05-functions.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/05-functions.php b/core/05-functions.php
index f63bf03..e37b3b3 100644
--- a/core/05-functions.php
+++ b/core/05-functions.php
@@ -679,7 +679,7 @@ function render_timestamp($timestamp, $absolute = false, $html = true) {
  */
 function render_pagename($rchange) {
 	global $pageindex;
-	$pageDisplayName = $rchange->page;
+	$pageDisplayName = htmlentities($rchange->page);
 	if(isset($pageindex->$pageDisplayName) and !empty($pageindex->$pageDisplayName->redirect))
 		$pageDisplayName = "<em>$pageDisplayName</em>";
 	$pageDisplayLink = "<a href='?page=" . rawurlencode($rchange->page) . "'>$pageDisplayName</a>";
@@ -692,7 +692,7 @@ function render_pagename($rchange) {
  * @return string             HTML representing the given editor's name.
  */
 function render_editor($editorName) {
-	return "<span class='editor'>&#9998; $editorName</span>";
+	return "<span class='editor'>&#9998; ".htmlentities($editorName)."</span>";
 }
 
 /**