core: Fix cross-site scripting.

Can be exploited if the site is configured to fetch metadata from an untrusted source. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2440 44740490-163a-0410-bde0-09ae8108e29a

core: Fix cross-site scripting.
Can be exploited if the site is configured to fetch metadata from an untrusted source. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2440 44740490-163a-0410-bde0-09ae8108e29a
9ef86337 · Olav Morken · 0f397188 · 9ef86337
Commit 9ef86337 authored 14 years ago by Olav Morken
--- a/modules/core/templates/frontpage_federation.tpl.php
+++ b/modules/core/templates/frontpage_federation.tpl.php
@@ -78,11 +78,11 @@ foreach($this->data['metaentries']['remote'] AS $setkey => $set) {
 			htmlspecialchars(SimpleSAML_Module::getModuleURL('core/show_metadata.php', array('entityid' => $entry['entityid'], 'set' => $setkey ))) .
 			'">');
 		if (array_key_exists('name', $entry)) {
-			echo $this->getTranslation(SimpleSAML_Utilities::arrayize($entry['name'], 'en'));
+			echo htmlspecialchars($this->getTranslation(SimpleSAML_Utilities::arrayize($entry['name'], 'en')));
 		} elseif (array_key_exists('OrganizationDisplayName', $entry)) {
-			echo $this->getTranslation(SimpleSAML_Utilities::arrayize($entry['OrganizationDisplayName'], 'en'));
+			echo htmlspecialchars($this->getTranslation(SimpleSAML_Utilities::arrayize($entry['OrganizationDisplayName'], 'en')));
 		} else {
-			echo $entry['entityid'];
+			echo htmlspecialchars($entry['entityid']);
 		}
 		echo '</a>';
 		if (array_key_exists('expire', $entry)) {