discopower: Fix cross-site scripting.

Can be exploited if the site is configured to fetch metadata from an untrusted source. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2441 44740490-163a-0410-bde0-09ae8108e29a

discopower: Fix cross-site scripting.
Can be exploited if the site is configured to fetch metadata from an untrusted source. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2441 44740490-163a-0410-bde0-09ae8108e29a
6828a781 · Olav Morken · 9ef86337 · 6828a781
Commit 6828a781 authored 14 years ago by Olav Morken
--- a/modules/discopower/templates/disco-tpl.php
+++ b/modules/discopower/templates/disco-tpl.php
@@ -120,7 +120,7 @@ if (!empty($faventry)) {

 	echo('<div class="favourite">');
 	echo($this->t('previous_auth'));
-	echo(' <strong>' . getTranslatedName($this, $faventry) . '</strong>');
+	echo(' <strong>' . htmlspecialchars(getTranslatedName($this, $faventry)) . '</strong>');
 	echo('
 	<form id="idpselectform" method="get" action="' . $this->data['urlpattern'] . '">
 		<input type="hidden" name="entityID" value="' . htmlspecialchars($this->data['entityID']) . '" />
@@ -128,7 +128,7 @@ if (!empty($faventry)) {
 		<input type="hidden" name="returnIDParam" value="' . htmlspecialchars($this->data['returnIDParam']) . '" />
 		<input type="hidden" name="idpentityid" value="' . htmlspecialchars($faventry['entityid']) . '" />

-		<input type="submit" name="formsubmit" id="favouritesubmit" value="' . $this->t('login_at') . ' ' . getTranslatedName($this, $faventry) . '" /> 
+		<input type="submit" name="formsubmit" id="favouritesubmit" value="' . $this->t('login_at') . ' ' . htmlspecialchars(getTranslatedName($this, $faventry)) . '" /> 
 	</form>');

 	echo('</div>');