From 0d56e4ef3c3b578946ff89f760b337eae778fbff Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:40:38 +0000
Subject: [PATCH] Error page: Fix cross-site scripting.

If the users email-address comes from an untrusted source, it can be
used to inject arbitrary HTML into the error pages.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2432 44740490-163a-0410-bde0-09ae8108e29a
---
 templates/error.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/error.php b/templates/error.php
index fadbab0e0..f450409b1 100644
--- a/templates/error.php
+++ b/templates/error.php
@@ -47,7 +47,7 @@ if (isset($this->data['errorReportAddress'])) {
 	<form action="<?php echo htmlspecialchars($this->data['errorReportAddress']); ?>" method="post">
 	
 		<p><?php echo $this->t('report_text'); ?></p>
-		<p><?php echo $this->t('report_email'); ?> <input type="text" size="25" name="email" value="<?php echo($this->data['email']); ?>" />
+		<p><?php echo $this->t('report_email'); ?> <input type="text" size="25" name="email" value="<?php echo htmlspecialchars($this->data['email']); ?>" />
 	
 		<p>
 		<textarea style="width: 300px; height: 100px" name="text"><?php echo $this->t('report_explain'); ?></textarea>
-- 
GitLab