bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix XSS

Signed-off-by: Michael Tänzer <neo@nhng.de>

2 files changed, 3 insertions, 3 deletions

diff --git a/pages/account/16.php b/pages/account/16.php
index 564463e..db8a8f5 100644
--- a/pages/account/16.php
+++ b/pages/account/16.php
@@ -42,7 +42,7 @@
   </tr>
   <tr>
     <td class="DataTD"><?=_("Department")?>:</td>
-    <td class="DataTD"><input type="text" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?($_SESSION['_config']['OU']):''?>"/></td>
+    <td class="DataTD"><input type="text" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?(sanitizeHTML($_SESSION['_config']['OU'])):''?>"/></td>
   </tr>
   <tr>
     <td class="DataTD" colspan="2" align="left">
diff --git a/pages/account/21.php b/pages/account/21.php
index 75827fb..c5832b9 100644
--- a/pages/account/21.php
+++ b/pages/account/21.php
@@ -41,7 +41,7 @@ if (is_array($_SESSION['_config']['altrows'])) {
 }
 
 echo _("Organisation"), ": {$org['O']}<br>\n";
-echo _("Org. Unit"), ": {$_SESSION['_config']['OU']}<br>\n";
+echo _("Org. Unit"), ": ", sanitizeHTML($_SESSION['_config']['OU']), "<br>\n";
 echo _("Location"), ": {$org['L']}<br>\n";
 echo _("State/Province"), ": {$org['ST']}<br>\n";
 echo _("Country"), ": {$org['C']}<br>\n";
@@ -52,7 +52,7 @@ echo _("Country"), ": {$org['C']}<br>\n";
 		<input type="submit" name="process" value="<?=_("Submit")?>">
 		<input type="hidden" name="oldid" value="<?=$id?>">
 	</p>
-	
+
 	<?
 	if ($_SESSION['profile']['admin'] == 1) {
 		?>