Security: Use htmlspecialchars() for user input in Arguments class
This commit is contained in:
parent
0ad246f910
commit
a31d5ae7b1
2 changed files with 9 additions and 2 deletions
|
@ -73,6 +73,8 @@ class Page implements ArrayAccess
|
||||||
'right_aside' => '',
|
'right_aside' => '',
|
||||||
'template' => '',
|
'template' => '',
|
||||||
'title' => '',
|
'title' => '',
|
||||||
|
'section' => '',
|
||||||
|
'module' => '',
|
||||||
];
|
];
|
||||||
/**
|
/**
|
||||||
* @var string The basepath of the page
|
* @var string The basepath of the page
|
||||||
|
@ -509,6 +511,11 @@ class Page implements ArrayAccess
|
||||||
|
|
||||||
$page = $this->page;
|
$page = $this->page;
|
||||||
|
|
||||||
|
// add and escape some common but crucial content for direct "echo" in HTML (security)
|
||||||
|
$page['title'] = htmlspecialchars($page['title'] ?? '');
|
||||||
|
$page['section'] = htmlspecialchars($args->get(0) ?? 'generic');
|
||||||
|
$page['module'] = htmlspecialchars($args->getModuleName() ?? '');
|
||||||
|
|
||||||
header("X-Friendica-Version: " . App::VERSION);
|
header("X-Friendica-Version: " . App::VERSION);
|
||||||
header("Content-type: text/html; charset=utf-8");
|
header("Content-type: text/html; charset=utf-8");
|
||||||
|
|
||||||
|
|
|
@ -77,7 +77,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
|
|
||||||
<body id="top" class="mod-<?php echo DI::args()->getModuleName() . " " . $is_singleuser_class . " " . $view_mode_class;?>">
|
<body id="top" class="mod-<?php echo $page['module'] . " " . $is_singleuser_class . " " . $view_mode_class;?>">
|
||||||
<a href="#content" class="sr-only sr-only-focusable"><?php echo DI::l10n()->t('Skip to main content'); ?></a>
|
<a href="#content" class="sr-only sr-only-focusable"><?php echo DI::l10n()->t('Skip to main content'); ?></a>
|
||||||
<?php
|
<?php
|
||||||
if (!empty($page['nav']) && !$minimal) {
|
if (!empty($page['nav']) && !$minimal) {
|
||||||
|
@ -125,7 +125,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
|
||||||
|
|
||||||
<div class="col-lg-7 col-md-7 col-sm-12 col-xs-12" id="content">
|
<div class="col-lg-7 col-md-7 col-sm-12 col-xs-12" id="content">
|
||||||
<section class="sectiontop ';
|
<section class="sectiontop ';
|
||||||
echo DI::args()->get(0, 'generic');
|
echo $page['section'] ?? '';
|
||||||
echo '-content-wrapper">';
|
echo '-content-wrapper">';
|
||||||
if (!empty($page['content'])) {
|
if (!empty($page['content'])) {
|
||||||
echo $page['content'];
|
echo $page['content'];
|
||||||
|
|
Loading…
Reference in a new issue