Escape all output strings in the header and footer

Escape each output string using htmlspecialchars(). These aren't exploitable; it's still better to escape them properly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 09:43:03 +00:00 · 2012-02-19 04:49:54 +01:00 · 2012-02-19 04:49:54 +01:00 · 19789c3f75
commit 19789c3f75
parent 6f6904db3f
2 changed files with 4 additions and 4 deletions
--- a/web/template/footer.php
+++ b/web/template/footer.php
@ -2,7 +2,7 @@
 	<!-- End of main content -->
 <?php
 	if ($ver) {
-		echo "<div class=\"pgbox version\">$ver</div>";
+		echo "<div class=\"pgbox version\">" . htmlspecialchars($ver) . "</div>";
 	}
 ?>
 	</body>
--- a/web/template/header.php
+++ b/web/template/header.php
@ -2,7 +2,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml"
-	xml:lang="<?php print "$LANG\" lang=\"$LANG"; ?>">
+	xml:lang="<?php print htmlspecialchars($LANG, ENT_QUOTES) ?>" lang="<?php print htmlspecialchars($LANG, ENT_QUOTES) ?>">
  <head>
    <title>AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?></title>
 	<link rel='stylesheet' type='text/css' href='css/fonts.css' />
@ -52,8 +52,8 @@ reset($SUPPORTED_LANGS);
 foreach ($SUPPORTED_LANGS as $lang => $lang_name) {
        print '<a href="'
 		. htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES)
-		."?setlang=$lang\" title=\"$lang_name\">"
-		. strtolower($lang) . "</a>\n";
+		."?setlang=" . htmlspecialchars($lang, ENT_QUOTES) . "\" title=\"" . htmlspecialchars($lang_name, ENT_QUOTES) . "\">"
+		. htmlspecialchars(strtolower($lang)) . "</a>\n";
 }
 ?>
 	</div>