summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOlav Morken <olav.morken@uninett.no>2012-10-19 08:48:00 +0200
committerOlav Morken <olav.morken@uninett.no>2012-10-19 08:57:50 +0200
commit28bfea4260faea1dffe909d36525c8654c660ed6 (patch)
tree19dd89bcf8a6009bb6bb5709c41e1a0b30154072
parent04f91fd782bffcd54dbcca729ec7bdc0e1c7124a (diff)
downloadphp-openid-28bfea4260faea1dffe909d36525c8654c660ed6.zip
php-openid-28bfea4260faea1dffe909d36525c8654c660ed6.tar.gz
php-openid-28bfea4260faea1dffe909d36525c8654c660ed6.tar.bz2
Properly escape form output data.
Since this data is inserted as strings in HTML documents, we should call htmlspecialchars() to protect against any values containing special characters, e.g. '"' or '&'.
Diffstat
-rw-r--r--Auth/OpenID/Message.php6
1 files changed, 3 insertions, 3 deletions
diff --git a/Auth/OpenID/Message.php b/Auth/OpenID/Message.php
index 9aa1fa4..16ec1c1 100644
--- a/Auth/OpenID/Message.php
+++ b/Auth/OpenID/Message.php
@@ -675,7 +675,7 @@ class Auth_OpenID_Message {
if ($form_tag_attrs) {
foreach ($form_tag_attrs as $name => $attr) {
- $form .= sprintf(" %s=\"%s\"", $name, $attr);
+ $form .= sprintf(" %s=\"%s\"", $name, htmlspecialchars($attr));
}
}
@@ -684,11 +684,11 @@ class Auth_OpenID_Message {
foreach ($this->toPostArgs() as $name => $value) {
$form .= sprintf(
"<input type=\"hidden\" name=\"%s\" value=\"%s\" />\n",
- $name, $value);
+ htmlspecialchars($name), htmlspecialchars($value));
}
$form .= sprintf("<input type=\"submit\" value=\"%s\" />\n",
- $submit_text);
+ htmlspecialchars($submit_text));
$form .= "</form>\n";
generated by cgit v1.1 at 2025-05-10 22:27:40 +0000