summaryrefslogtreecommitdiffstats
path: root/Auth
diff options
context:
space:
mode:
authorOlav Morken <olav.morken@uninett.no>2012-10-19 08:48:00 +0200
committerOlav Morken <olav.morken@uninett.no>2012-10-19 08:57:50 +0200
commit28bfea4260faea1dffe909d36525c8654c660ed6 (patch)
tree19dd89bcf8a6009bb6bb5709c41e1a0b30154072 /Auth
parent04f91fd782bffcd54dbcca729ec7bdc0e1c7124a (diff)
downloadphp-openid-28bfea4260faea1dffe909d36525c8654c660ed6.zip
php-openid-28bfea4260faea1dffe909d36525c8654c660ed6.tar.gz
php-openid-28bfea4260faea1dffe909d36525c8654c660ed6.tar.bz2
Properly escape form output data.
Since this data is inserted as strings in HTML documents, we should call htmlspecialchars() to protect against any values containing special characters, e.g. '"' or '&'.
Diffstat (limited to 'Auth')
-rw-r--r--Auth/OpenID/Message.php6
1 files changed, 3 insertions, 3 deletions
diff --git a/Auth/OpenID/Message.php b/Auth/OpenID/Message.php
index 9aa1fa4..16ec1c1 100644
--- a/Auth/OpenID/Message.php
+++ b/Auth/OpenID/Message.php
@@ -675,7 +675,7 @@ class Auth_OpenID_Message {
if ($form_tag_attrs) {
foreach ($form_tag_attrs as $name => $attr) {
- $form .= sprintf(" %s=\"%s\"", $name, $attr);
+ $form .= sprintf(" %s=\"%s\"", $name, htmlspecialchars($attr));
}
}
@@ -684,11 +684,11 @@ class Auth_OpenID_Message {
foreach ($this->toPostArgs() as $name => $value) {
$form .= sprintf(
"<input type=\"hidden\" name=\"%s\" value=\"%s\" />\n",
- $name, $value);
+ htmlspecialchars($name), htmlspecialchars($value));
}
$form .= sprintf("<input type=\"submit\" value=\"%s\" />\n",
- $submit_text);
+ htmlspecialchars($submit_text));
$form .= "</form>\n";
generated by cgit v1.1 at 2025-05-10 16:58:21 +0000