HTML-escape notification contact names
This commit is contained in:
parent
a802fada23
commit
e2bfe6dcec
1 changed files with 1 additions and 1 deletions
|
@ -134,6 +134,6 @@ class Notify extends BaseEntity
|
||||||
*/
|
*/
|
||||||
public static function formatMessage(string $name, string $message): string
|
public static function formatMessage(string $name, string $message): string
|
||||||
{
|
{
|
||||||
return str_replace('{0}', '<span class="contactname">' . BBCode::toPlaintext($name, false) . '</span>', htmlspecialchars($message));
|
return str_replace('{0}', '<span class="contactname">' . htmlspecialchars(BBCode::toPlaintext($name, false)) . '</span>', htmlspecialchars($message));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue