From 9ef8633754f2628ab92dbfe245055c743ef7b159 Mon Sep 17 00:00:00 2001 From: Olav Morken <olav.morken@uninett.no> Date: Thu, 29 Jul 2010 10:41:45 +0000 Subject: [PATCH] core: Fix cross-site scripting. Can be exploited if the site is configured to fetch metadata from an untrusted source. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2440 44740490-163a-0410-bde0-09ae8108e29a --- modules/core/templates/frontpage_federation.tpl.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/core/templates/frontpage_federation.tpl.php b/modules/core/templates/frontpage_federation.tpl.php index 55c827dd4..aea2badc3 100644 --- a/modules/core/templates/frontpage_federation.tpl.php +++ b/modules/core/templates/frontpage_federation.tpl.php @@ -78,11 +78,11 @@ foreach($this->data['metaentries']['remote'] AS $setkey => $set) { htmlspecialchars(SimpleSAML_Module::getModuleURL('core/show_metadata.php', array('entityid' => $entry['entityid'], 'set' => $setkey ))) . '">'); if (array_key_exists('name', $entry)) { - echo $this->getTranslation(SimpleSAML_Utilities::arrayize($entry['name'], 'en')); + echo htmlspecialchars($this->getTranslation(SimpleSAML_Utilities::arrayize($entry['name'], 'en'))); } elseif (array_key_exists('OrganizationDisplayName', $entry)) { - echo $this->getTranslation(SimpleSAML_Utilities::arrayize($entry['OrganizationDisplayName'], 'en')); + echo htmlspecialchars($this->getTranslation(SimpleSAML_Utilities::arrayize($entry['OrganizationDisplayName'], 'en'))); } else { - echo $entry['entityid']; + echo htmlspecialchars($entry['entityid']); } echo '</a>'; if (array_key_exists('expire', $entry)) { -- GitLab