From aeb46206ae42f2a355f31d45db1a97ff79270bd4 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 14 Dec 2007 13:23:50 +0000
Subject: [PATCH] templates - post: Escape data sent with HTTP-POST requests.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@111 44740490-163a-0410-bde0-09ae8108e29a
---
 templates/default/en/post.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/default/en/post.php b/templates/default/en/post.php
index 2329cdbca..1178985a3 100644
--- a/templates/default/en/post.php
+++ b/templates/default/en/post.php
@@ -11,9 +11,9 @@
 		<p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p> 
 	</noscript> 
 	
-	<form method="post" action="<?php echo $data['destination']; ?>">
-		<input type="hidden" name="SAMLResponse" value="<?php echo $data['response']; ?>" />
-		<input type="hidden" name="<?php echo $data['RelayStateName']; ?>" value="<?php echo $data['RelayState']; ?>">
+	<form method="post" action="<?php echo htmlspecialchars($data['destination']); ?>">
+		<input type="hidden" name="SAMLResponse" value="<?php echo htmlspecialchars($data['response']); ?>" />
+		<input type="hidden" name="<?php echo htmlspecialchars($data['RelayStateName']); ?>" value="<?php echo htmlspecialchars($data['RelayState']); ?>">
 		
 		<noscript>
 			<input type="submit" value="Submit the response to the service" />
-- 
GitLab