Browse Source

escape html in syndication targets

pull/52/head
Aaron Parecki 9 years ago
parent
commit
c1101c687d
  1. 6
      views/new-post.php
  2. 2
      views/partials/syndication-js.php

6
views/new-post.php

@ -44,9 +44,9 @@
echo '<ul>'; echo '<ul>';
foreach($this->syndication_targets as $syn) { foreach($this->syndication_targets as $syn) {
echo '<li>' echo '<li>'
. '<button data-syndicate-to="'.(isset($syn['uid']) ? $syn['uid'] : $syn['target']).'" class="btn btn-default btn-block">'
. ($syn['favicon'] ? '<img src="'.$syn['favicon'].'" width="16" height="16"> ' : '')
. $syn['target']
. '<button data-syndicate-to="'.(isset($syn['uid']) ? htmlspecialchars($syn['uid']) : htmlspecialchars($syn['target'])).'" class="btn btn-default btn-block">'
. ($syn['favicon'] ? '<img src="'.htmlspecialchars($syn['favicon']).'" width="16" height="16"> ' : '')
. htmlspecialchars($syn['target'])
. '</button>' . '</button>'
. '</li>'; . '</li>';
} }

2
views/partials/syndication-js.php

@ -7,7 +7,7 @@ function reload_syndications() {
var target = data.targets[i].target; var target = data.targets[i].target;
var uid = data.targets[i].uid; var uid = data.targets[i].uid;
var favicon = data.targets[i].favicon; var favicon = data.targets[i].favicon;
$("#syndication-container ul").append('<li><button data-syndicate-to="'+(uid ? uid : target)+'" class="btn btn-default btn-block">'+(favicon ? '<img src="'+favicon+'" width="16" height="16"> ':'')+target+'</button></li>');
$("#syndication-container ul").append('<li><button data-syndicate-to="'+htmlspecialchars(uid ? uid : target)+'" class="btn btn-default btn-block">'+(favicon ? '<img src="'+htmlspecialchars(favicon)+'" width="16" height="16"> ':'')+htmlspecialchars(target)+'</button></li>');
} }
bind_syndication_buttons(); bind_syndication_buttons();
} else { } else {

Loading…
Cancel
Save