bug 448: Properly escape data that comes from the database bug-448
authorBenny Baumann <BenBE@geshi.org>
Tue, 11 Mar 2014 21:51:07 +0000 (22:51 +0100)
committerBenny Baumann <BenBE@geshi.org>
Tue, 11 Mar 2014 21:51:07 +0000 (22:51 +0100)
includes/account.php

index ca64ffd..497bf58 100644 (file)
@@ -972,7 +972,7 @@ function buildSubjectFromSession() {
                                        continue;
                                }
                                mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");
-                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', $row['CN'], $row['serial']);
+                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', htmlspecialchars($row['CN']), htmlspecialchars($row['serial']));
                        }
 
                        // TRANSLATORS: Please don't translate "Certificate Revocation List (CRL)", it's a technical term
@@ -1132,7 +1132,7 @@ function buildSubjectFromSession() {
                                        continue;
                                }
                                mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");
-                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', $row['CN'], $row['serial']);
+                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', htmlspecialchars($row['CN']), htmlspecialchars($row['serial']));
                        }
 
                        // TRANSLATORS: Please don't translate "Certificate Revocation List (CRL)", it's a technical term
@@ -1762,7 +1762,7 @@ function buildSubjectFromSession() {
                                        continue;
                                }
                                mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");
-                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', $row['CN'], $row['serial']);
+                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', htmlspecialchars($row['CN']), htmlspecialchars($row['serial']));
                        }
 
                        // TRANSLATORS: Please don't translate "Certificate Revocation List (CRL)", it's a technical term
@@ -2121,7 +2121,7 @@ function buildSubjectFromSession() {
                                        continue;
                                }
                                mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'");
-                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', $row['CN'], $row['serial']);
+                               printf(_("Certificate for '%s' with the serial no '%s' has been revoked.").'<br/>', htmlspecialchars($row['CN']), htmlspecialchars($row['serial']));
                        }
 
                        // TRANSLATORS: Please don't translate "Certificate Revocation List (CRL)", it's a technical term