From 0f397188bee4f24873681f34207a749e701f57ee Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:41:37 +0000
Subject: [PATCH] consentAdmin: Fix cross-site scripting.

Can be exploited if the site is configured to fetch metadata from an
untrusted source.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2439 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/consentAdmin/templates/consentadmin.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/consentAdmin/templates/consentadmin.php b/modules/consentAdmin/templates/consentadmin.php
index 2860b9b73..ae97cdf7d 100755
--- a/modules/consentAdmin/templates/consentadmin.php
+++ b/modules/consentAdmin/templates/consentadmin.php
@@ -75,8 +75,8 @@ span.showhide {
 			foreach ($spList AS $spName => $spValues) {
 				$this->includeInlineTranslation('spname', $spValues['name']);
 				$this->includeInlineTranslation('spdescription', $spValues['description']);
-				$htmlSpName = $this->t('spname', array(), false, true);
-				$spDescription = $this->t('spdescription',array(), false, true);
+				$htmlSpName = htmlspecialchars($this->t('spname', array(), false, true));
+				$spDescription = htmlspecialchars($this->t('spdescription',array(), false, true));
 				$checkedAttr = $spValues['consentStatus'] == 'ok' ? "checked='yes'" : "";
 				$consentValue = $spValues['consentValue'];
 				$consentText = $spValues['consentStatus'] == 'changed' ? "attributes has changed" : "";
-- 
GitLab