1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-21 16:13:00 +00:00

core | render_pagename, render_username: fix potential authenticated XSS attack

This commit is contained in:
Starbeamrainbowlabs 2021-09-02 23:04:26 +01:00
parent d977d594e6
commit 738715af43
Signed by: sbrl
GPG key ID: 1BE5172E637709C2

View file

@ -679,7 +679,7 @@ function render_timestamp($timestamp, $absolute = false, $html = true) {
*/ */
function render_pagename($rchange) { function render_pagename($rchange) {
global $pageindex; global $pageindex;
$pageDisplayName = $rchange->page; $pageDisplayName = htmlentities($rchange->page);
if(isset($pageindex->$pageDisplayName) and !empty($pageindex->$pageDisplayName->redirect)) if(isset($pageindex->$pageDisplayName) and !empty($pageindex->$pageDisplayName->redirect))
$pageDisplayName = "<em>$pageDisplayName</em>"; $pageDisplayName = "<em>$pageDisplayName</em>";
$pageDisplayLink = "<a href='?page=" . rawurlencode($rchange->page) . "'>$pageDisplayName</a>"; $pageDisplayLink = "<a href='?page=" . rawurlencode($rchange->page) . "'>$pageDisplayName</a>";
@ -692,7 +692,7 @@ function render_pagename($rchange) {
* @return string HTML representing the given editor's name. * @return string HTML representing the given editor's name.
*/ */
function render_editor($editorName) { function render_editor($editorName) {
return "<span class='editor'>&#9998; $editorName</span>"; return "<span class='editor'>&#9998; ".htmlentities($editorName)."</span>";
} }
/** /**