GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

XSS vulnerability when remote-subscribing 

->raw was used on non-filtered strings for some reasons, changed
to ->text.
This commit is contained in:
Mikael Nordfeldth 2016-01-05 12:15:50 +01:00
parent df8c14d66a
commit ab93bb009c
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugins/OStatus/actions/ostatussub.php
View File

@ -193,31 +193,31 @@ class OStatusSubAction extends Action
$hasFN = ($fullname !== '') ? 'nickname' : 'fn nickname entity_nickname';
$this->elementStart('a', array('href' => $profile,
'class' => 'url '.$hasFN));
$this->raw($nickname);
$this->text($nickname);
$this->elementEnd('a');
if (!is_null($fullname)) {
$this->elementStart('div', 'fn entity_fn');
$this->raw($fullname);
$this->text($fullname);
$this->elementEnd('div');
}
if (!is_null($location)) {
$this->elementStart('div', 'label entity_location');
$this->raw($location);
$this->text($location);
$this->elementEnd('div');
}
if (!is_null($homepage)) {
$this->elementStart('a', array('href' => $homepage,
'class' => 'url entity_url'));
$this->raw($homepage);
$this->text($homepage);
$this->elementEnd('a');
}
if (!is_null($note)) {
$this->elementStart('div', 'note entity_note');
$this->raw($note);
$this->text($note);
$this->elementEnd('div');
}
$this->elementEnd('div');