bug 1138: Some escaping for the GnuPG code
authorBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 16:44:40 +0000 (18:44 +0200)
committerBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 18:18:56 +0000 (20:18 +0200)
pages/gpg/2.php

index 54d2bb2..9b3d4f4 100644 (file)
 ?>
   <tr>
 <? if($verified == _("Valid")) { ?>
-    <td class="DataTD"><?=$verified?></td>
-    <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=$row['id']?>"><?=$row['email']?></a></td>
+    <td class="DataTD"><?=intval($verified)?></td>
+    <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=intval($row['id'])?>"><?=sanitizeHTML($row['email'])?></a></td>
 <? } else if($verified == _("Pending")) { ?>
     <td class="DataTD"><?=$verified?></td>
-    <td class="DataTD"><?=$row['email']?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['email'])?></td>
 <? } else { ?>
     <td class="DataTD"><?=$verified?></td>
-    <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=$row['id']?>"><?=$row['email']?></a></td>
+    <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=intval($row['id'])?>"><?=sanitizeHTML($row['email'])?></a></td>
 <? } ?>
     <td class="DataTD"><?=$row['expire']?></td>
-    <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=$row['id']?>"><?=$row['keyid']?></a></td>
-    <td class="DataTD"><input name="comment_<?=$row['id']?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
-    <td class="DataTD"><input type="checkbox" name="check_comment_<?=$row['id']?>" /></td>
+    <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=intval($row['id'])?>"><?=sanitizeHTML($row['keyid'])?></a></td>
+    <td class="DataTD"><input name="comment_<?=intval($row['id'])?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
+    <td class="DataTD"><input type="checkbox" name="check_comment_<?=intval($row['id'])?>" /></td>
   </tr>
 <? } ?>
 <? } ?>
@@ -77,5 +77,5 @@
     <td class="DataTD" colspan="6"><input type="submit" name="change" value="<?=_("Change settings")?>" /> </td>
   </tr>
 </table>
-<input type="hidden" name="oldid" value="<?=$id?>" />
+<input type="hidden" name="oldid" value="<?=intval($id)?>" />
 </form>