[aur-dev] [PATCH] Fix duplicate escaping of action links

Lukas Fleischer lfleischer at archlinux.org
Fri Sep 11 20:16:10 UTC 2015 

The __() helper function already escapes HTML special characters. Do not
escape them again in html_action_*().

Fixes FS#45780.

Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
 web/lib/aur.inc.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 9997535..7d65913 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -225,18 +225,18 @@ function html_format_maintainers($maintainer, $comaintainers) {
  * Format a link in the package actions box
  *
  * @param string $uri The link target
- * @param string $desc The link label
+ * @param string $inner The HTML code to use for the link label
  *
  * @return string The generated HTML code for the action link
  */
-function html_action_link($uri, $desc) {
+function html_action_link($uri, $inner) {
 	if (isset($_COOKIE["AURSID"])) {
 		$code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">';
 	} else {
 		$code = '<a href="' . get_uri('/login/', true) . '?referer=';
 		$code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">';
 	}
-	$code .= htmlspecialchars($desc) . '</a>';
+	$code .= $inner . '</a>';
 
 	return $code;
 }
@@ -246,11 +246,11 @@ function html_action_link($uri, $desc) {
  *
  * @param string $uri The link target
  * @param string $action The action name (passed as HTTP POST parameter)
- * @param string $desc The link label
+ * @param string $inner The HTML code to use for the link label
  *
  * @return string The generated HTML code for the action link
  */
-function html_action_form($uri, $action, $desc) {
+function html_action_form($uri, $action, $inner) {
 	if (isset($_COOKIE["AURSID"])) {
 		$code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . '" ';
 		$code .= 'method="post">';
@@ -258,11 +258,11 @@ function html_action_form($uri, $action, $desc) {
 		$code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" />';
 		$code .= '<input type="submit" class="button text-button" name="';
 		$code .= htmlspecialchars($action, ENT_QUOTES) . '" ';
-		$code .= 'value="' . htmlspecialchars($desc, ENT_QUOTES) . '" />';
+		$code .= 'value="' . $inner . '" />';
 		$code .= '</form>';
 	} else {
 		$code = '<a href="' . get_uri('/login/', true) . '">';
-		$code .= htmlspecialchars($desc) . '</a>';
+		$code .= $inner . '</a>';
 	}
 
 	return $code;
-- 
2.5.1

More information about the aur-dev mailing list