ENT_COMPAT will only take care of double-quotes. Use double-quotes here to prevent XSS
This commit is contained in:
Mario Vavti
@@ -329,7 +329,7 @@ class Connections extends \Zotlabs\Web\Controller {
|
||||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
|
||||
$o .= replace_macros(get_markup_template('connections.tpl'),array(
|
||||
'$header' => t('Connections') . (($head) ? ': ' . $head : ''),
|
||||
'$tabs' => $tabs,
|
||||
|
||||
@@ -399,7 +399,7 @@ class Directory extends \Zotlabs\Web\Controller {
|
||||
|
||||
$dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory'));
|
||||
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
|
||||
$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '"; divmore_height = ' . intval($maxheight) . '; </script>';
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$search' => $search,
|
||||
'$desc' => t('Find'),
|
||||
|
||||
@@ -848,7 +848,7 @@ class Photos extends \Zotlabs\Web\Controller {
|
||||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
|
||||
$tpl = get_markup_template('photo_album.tpl');
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$photos' => $photos,
|
||||
@@ -1396,7 +1396,7 @@ class Photos extends \Zotlabs\Web\Controller {
|
||||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
|
||||
$tpl = get_markup_template('photos_recent.tpl');
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$title' => t('Recent Photos'),
|
||||
|
||||
@@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller {
|
||||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
|
||||
$tpl = get_markup_template("viewcontact_template.tpl");
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$title' => t('View Connections'),
|
||||
|
||||
Reference in New Issue
Block a user