consentAdmin: Fix cross-site scripting.

Can be exploited if the site is configured to fetch metadata from an untrusted source. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2439 44740490-163a-0410-bde0-09ae8108e29a

consentAdmin: Fix cross-site scripting.
0f397188 · Olav Morken · f09a13f5 · 0f397188
Commit 0f397188 authored 14 years ago by Olav Morken
--- a/modules/consentAdmin/templates/consentadmin.php
+++ b/modules/consentAdmin/templates/consentadmin.php
@@ -75,8 +75,8 @@ span.showhide {
 			foreach ($spList AS $spName => $spValues) {
 				$this->includeInlineTranslation('spname', $spValues['name']);
 				$this->includeInlineTranslation('spdescription', $spValues['description']);
-				$htmlSpName = $this->t('spname', array(), false, true);
-				$spDescription = $this->t('spdescription',array(), false, true);
+				$htmlSpName = htmlspecialchars($this->t('spname', array(), false, true));
+				$spDescription = htmlspecialchars($this->t('spdescription',array(), false, true));
 				$checkedAttr = $spValues['consentStatus'] == 'ok' ? "checked='yes'" : "";
 				$consentValue = $spValues['consentValue'];
 				$consentText = $spValues['consentStatus'] == 'changed' ? "attributes has changed" : "";