[PATCH] Properly escape passwords in the account edit form
Addresses FS#65639. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- Our live setup at aur.archlinux.org is already patched. web/template/account_edit_form.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index a4ea994..4ce6b87 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -157,12 +157,12 @@ <legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend> <p> <label for="id_passwd1"><?= __("Password") ?>:</label> - <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> + <input type="password" size="30" name="P" id="id_passwd1" value="<?= htmlspecialchars($P, ENT_QUOTES) ?>" /> </p> <p> <label for="id_passwd2"><?= __("Re-type password") ?>:</label> - <input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" /> + <input type="password" size="30" name="C" id="id_passwd2" value="<?= htmlspecialchars($C, ENT_QUOTES) ?>" /> </p> </fieldset> <?php endif; ?> -- 2.25.1
participants (1)
-
Lukas Fleischer