From 9ef8633754f2628ab92dbfe245055c743ef7b159 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:41:45 +0000
Subject: [PATCH] core: Fix cross-site scripting.

Can be exploited if the site is configured to fetch metadata from an
untrusted source.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2440 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/core/templates/frontpage_federation.tpl.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/core/templates/frontpage_federation.tpl.php b/modules/core/templates/frontpage_federation.tpl.php
index 55c827dd4..aea2badc3 100644
--- a/modules/core/templates/frontpage_federation.tpl.php
+++ b/modules/core/templates/frontpage_federation.tpl.php
@@ -78,11 +78,11 @@ foreach($this->data['metaentries']['remote'] AS $setkey => $set) {
 			htmlspecialchars(SimpleSAML_Module::getModuleURL('core/show_metadata.php', array('entityid' => $entry['entityid'], 'set' => $setkey ))) .
 			'">');
 		if (array_key_exists('name', $entry)) {
-			echo $this->getTranslation(SimpleSAML_Utilities::arrayize($entry['name'], 'en'));
+			echo htmlspecialchars($this->getTranslation(SimpleSAML_Utilities::arrayize($entry['name'], 'en')));
 		} elseif (array_key_exists('OrganizationDisplayName', $entry)) {
-			echo $this->getTranslation(SimpleSAML_Utilities::arrayize($entry['OrganizationDisplayName'], 'en'));
+			echo htmlspecialchars($this->getTranslation(SimpleSAML_Utilities::arrayize($entry['OrganizationDisplayName'], 'en')));
 		} else {
-			echo $entry['entityid'];
+			echo htmlspecialchars($entry['entityid']);
 		}
 		echo '</a>';
 		if (array_key_exists('expire', $entry)) {
-- 
GitLab