[aur-dev] [PATCH] Fix duplicate escaping of action links
The __() helper function already escapes HTML special characters. Do not escape them again in html_action_*(). Fixes FS#45780. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- web/lib/aur.inc.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 9997535..7d65913 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -225,18 +225,18 @@ function html_format_maintainers($maintainer, $comaintainers) { * Format a link in the package actions box * * @param string $uri The link target - * @param string $desc The link label + * @param string $inner The HTML code to use for the link label * * @return string The generated HTML code for the action link */ -function html_action_link($uri, $desc) { +function html_action_link($uri, $inner) { if (isset($_COOKIE["AURSID"])) { $code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">'; } else { $code = '<a href="' . get_uri('/login/', true) . '?referer='; $code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">'; } - $code .= htmlspecialchars($desc) . '</a>'; + $code .= $inner . '</a>'; return $code; } @@ -246,11 +246,11 @@ function html_action_link($uri, $desc) { * * @param string $uri The link target * @param string $action The action name (passed as HTTP POST parameter) - * @param string $desc The link label + * @param string $inner The HTML code to use for the link label * * @return string The generated HTML code for the action link */ -function html_action_form($uri, $action, $desc) { +function html_action_form($uri, $action, $inner) { if (isset($_COOKIE["AURSID"])) { $code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . '" '; $code .= 'method="post">'; @@ -258,11 +258,11 @@ function html_action_form($uri, $action, $desc) { $code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" />'; $code .= '<input type="submit" class="button text-button" name="'; $code .= htmlspecialchars($action, ENT_QUOTES) . '" '; - $code .= 'value="' . htmlspecialchars($desc, ENT_QUOTES) . '" />'; + $code .= 'value="' . $inner . '" />'; $code .= '</form>'; } else { $code = '<a href="' . get_uri('/login/', true) . '">'; - $code .= htmlspecialchars($desc) . '</a>'; + $code .= $inner . '</a>'; } return $code; -- 2.5.1
participants (1)
-
Lukas Fleischer