ENT_COMPAT will only take care of double-quotes. Use double-quotes here to prevent XSS

2019-03-18 13:19:24 +01:00 · 2019-03-18 13:19:24 +01:00 · a086745ec0
commit a086745ec0
parent 51156d0582
4 changed files with 5 additions and 5 deletions
--- a/Zotlabs/Module/Connections.php
+++ b/Zotlabs/Module/Connections.php
@ -329,7 +329,7 @@ class Connections extends \Zotlabs\Web\Controller {
 			killme();
 		}
 		else {
-			$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
+			$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
 			$o .= replace_macros(get_markup_template('connections.tpl'),array(
 				'$header' => t('Connections') . (($head) ? ': ' . $head : ''),
 				'$tabs' => $tabs,
--- a/Zotlabs/Module/Directory.php
+++ b/Zotlabs/Module/Directory.php
@ -399,7 +399,7 @@ class Directory extends \Zotlabs\Web\Controller {
 	
 							$dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory'));
 	
-							$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . ";  </script>";
+							$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '"; divmore_height = ' . intval($maxheight) . ';  </script>';
 							$o .= replace_macros($tpl, array(
 								'$search' => $search,
 								'$desc' => t('Find'),
--- a/Zotlabs/Module/Photos.php
+++ b/Zotlabs/Module/Photos.php
@ -848,7 +848,7 @@ class Photos extends \Zotlabs\Web\Controller {
 				killme();
 			}
 			else {
-				$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
+				$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
 				$tpl = get_markup_template('photo_album.tpl');
 				$o .= replace_macros($tpl, array(
 					'$photos' => $photos,
@ -1396,7 +1396,7 @@ class Photos extends \Zotlabs\Web\Controller {
 			killme();
 		}
 		else {
-			$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
+			$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
 			$tpl = get_markup_template('photos_recent.tpl'); 
 			$o .= replace_macros($tpl, array(
 				'$title' => t('Recent Photos'),
--- a/Zotlabs/Module/Viewconnections.php
+++ b/Zotlabs/Module/Viewconnections.php
@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller {
 			killme();
 		}
 		else {
-			$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
+			$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
 			$tpl = get_markup_template("viewcontact_template.tpl");
 			$o .= replace_macros($tpl, array(
 				'$title' => t('View Connections'),