diff options
author | Sebastien SAUVAGE <sebsauvage@sebsauvage.net> | 2013-11-29 21:53:20 +0100 |
---|---|---|
committer | Sebastien SAUVAGE <sebsauvage@sebsauvage.net> | 2013-11-29 21:53:20 +0100 |
commit | 53da201749f8f362323ef278bf338f1d9f7a925a (patch) | |
tree | 814919e595a1d879adc4017c2e904ede477be62a | |
parent | 7b2186a63e2c788f1f2622779c5a1c341117eac1 (diff) | |
download | Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.tar.gz Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.tar.zst Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.zip |
XSS flaw correction
Closes issue https://github.com/sebsauvage/Shaarli/issues/134
-rw-r--r-- | index.php | 10 |
1 files changed, 5 insertions, 5 deletions
@@ -942,7 +942,7 @@ function showRSS() | |||
942 | echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n"; | 942 | echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n"; |
943 | $i++; | 943 | $i++; |
944 | } | 944 | } |
945 | echo '</channel></rss><!-- Cached version of '.pageUrl().' -->'; | 945 | echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->'; |
946 | 946 | ||
947 | $cache->cache(ob_get_contents()); | 947 | $cache->cache(ob_get_contents()); |
948 | ob_end_flush(); | 948 | ob_end_flush(); |
@@ -1027,7 +1027,7 @@ function showATOM() | |||
1027 | $feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>'; | 1027 | $feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>'; |
1028 | $feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do. | 1028 | $feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do. |
1029 | $feed.=$entries; | 1029 | $feed.=$entries; |
1030 | $feed.='</feed><!-- Cached version of '.pageUrl().' -->'; | 1030 | $feed.='</feed><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->'; |
1031 | echo $feed; | 1031 | echo $feed; |
1032 | 1032 | ||
1033 | $cache->cache(ob_get_contents()); | 1033 | $cache->cache(ob_get_contents()); |
@@ -1104,7 +1104,7 @@ function showDailyRSS() | |||
1104 | echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n"; | 1104 | echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n"; |
1105 | 1105 | ||
1106 | } | 1106 | } |
1107 | echo '</channel></rss><!-- Cached version of '.pageUrl().' -->'; | 1107 | echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->'; |
1108 | 1108 | ||
1109 | $cache->cache(ob_get_contents()); | 1109 | $cache->cache(ob_get_contents()); |
1110 | ob_end_flush(); | 1110 | ob_end_flush(); |
@@ -1747,11 +1747,11 @@ function importFile() | |||
1747 | } | 1747 | } |
1748 | $LINKSDB->savedb(); | 1748 | $LINKSDB->savedb(); |
1749 | 1749 | ||
1750 | echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>'; | 1750 | echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>'; |
1751 | } | 1751 | } |
1752 | else | 1752 | else |
1753 | { | 1753 | { |
1754 | echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>'; | 1754 | echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>'; |
1755 | } | 1755 | } |
1756 | } | 1756 | } |
1757 | 1757 | ||