From 6828a781c72284a32992feecda4adac5a282ad28 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:41:53 +0000
Subject: [PATCH] discopower: Fix cross-site scripting.

Can be exploited if the site is configured to fetch metadata from an
untrusted source.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2441 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/discopower/templates/disco-tpl.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/discopower/templates/disco-tpl.php b/modules/discopower/templates/disco-tpl.php
index f3ead884e..b235f59fa 100644
--- a/modules/discopower/templates/disco-tpl.php
+++ b/modules/discopower/templates/disco-tpl.php
@@ -120,7 +120,7 @@ if (!empty($faventry)) {
 
 	echo('<div class="favourite">');
 	echo($this->t('previous_auth'));
-	echo(' <strong>' . getTranslatedName($this, $faventry) . '</strong>');
+	echo(' <strong>' . htmlspecialchars(getTranslatedName($this, $faventry)) . '</strong>');
 	echo('
 	<form id="idpselectform" method="get" action="' . $this->data['urlpattern'] . '">
 		<input type="hidden" name="entityID" value="' . htmlspecialchars($this->data['entityID']) . '" />
@@ -128,7 +128,7 @@ if (!empty($faventry)) {
 		<input type="hidden" name="returnIDParam" value="' . htmlspecialchars($this->data['returnIDParam']) . '" />
 		<input type="hidden" name="idpentityid" value="' . htmlspecialchars($faventry['entityid']) . '" />
 
-		<input type="submit" name="formsubmit" id="favouritesubmit" value="' . $this->t('login_at') . ' ' . getTranslatedName($this, $faventry) . '" /> 
+		<input type="submit" name="formsubmit" id="favouritesubmit" value="' . $this->t('login_at') . ' ' . htmlspecialchars(getTranslatedName($this, $faventry)) . '" /> 
 	</form>');
 
 	echo('</div>');
-- 
GitLab