From 362ed35d683bc07f62a5e83aed1731eb1a8bffc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20T=C3=A4nzer?= <neo@nhng.de>
Date: Mon, 15 Jul 2013 17:59:16 +0200
Subject: bug 1190: Fix possible code injection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michael Tänzer <neo@nhng.de>
---
 pages/index/0.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'pages/index')

diff --git a/pages/index/0.php b/pages/index/0.php
index a44b0a8..79a677d 100644
--- a/pages/index/0.php
+++ b/pages/index/0.php
@@ -48,15 +48,15 @@
 
 		$query = "./link";
 		$nodeList = $xpath->query($query, $item);
-		$link = $nodeList->item(0)->nodeValue;
+		$link = htmlspecialchars($nodeList->item(0)->nodeValue);
 
 		$query = "./description";
 		$nodeList = $xpath->query($query, $item);
 		$description = str_replace("&amp;#", "&#", recode_string("UTF8..html" , $nodeList->item(0)->nodeValue));
 
-		printf("<h3> %s </h3>\n", $title);
-		printf("<p> %s </p>\n", $description);
-		printf("<p>[<a href='%s'> %s </a> ] </p>\n\n", $link,_("Full Story"));
+		printf('<h3> %s </h3>\n', $title);
+		printf('<p> %s </p>\n', $description);
+		printf('<p>[<a href="%s"> %s </a> ] </p>\n\n', $link,_("Full Story"));
 
 		$title = '';
 		$description = '';
-- 
cgit v1.2.1