external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix duplicate escaping of action links

Browse source 
The __() helper function already escapes HTML special characters. Do not
escape them again in html_action_*().

Fixes FS#45780.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Lukas Fleischer 2015-08-31 18:01:13 +02:00
parent 57db4814a4
commit 209879d63f
1 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
web/lib/aur.inc.php
View file

@ -225,18 +225,18 @@ function html_format_maintainers($maintainer, $comaintainers) {
* Format a link in the package actions box * Format a link in the package actions box
* *
* @param string $uri The link target * @param string $uri The link target
* @param string $desc The link label * @param string $inner The HTML code to use for the link label
* *
* @return string The generated HTML code for the action link * @return string The generated HTML code for the action link
*/ */
function html_action_link($uri, $desc) { function html_action_link($uri, $inner) {
if (isset($_COOKIE["AURSID"])) { if (isset($_COOKIE["AURSID"])) {
$code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">'; $code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">';
} else { } else {
$code = '<a href="' . get_uri('/login/', true) . '?referer='; $code = '<a href="' . get_uri('/login/', true) . '?referer=';
$code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">'; $code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">';
} }
$code .= htmlspecialchars($desc) . '</a>'; $code .= $inner . '</a>';
return $code; return $code;
} }
@ -246,11 +246,11 @@ function html_action_link($uri, $desc) {
* *
* @param string $uri The link target * @param string $uri The link target
* @param string $action The action name (passed as HTTP POST parameter) * @param string $action The action name (passed as HTTP POST parameter)
* @param string $desc The link label * @param string $inner The HTML code to use for the link label
* *
* @return string The generated HTML code for the action link * @return string The generated HTML code for the action link
*/ */
function html_action_form($uri, $action, $desc) { function html_action_form($uri, $action, $inner) {
if (isset($_COOKIE["AURSID"])) { if (isset($_COOKIE["AURSID"])) {
$code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . '" '; $code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . '" ';
$code .= 'method="post">'; $code .= 'method="post">';
@ -258,11 +258,11 @@ function html_action_form($uri, $action, $desc) {
$code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" />'; $code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" />';
$code .= '<input type="submit" class="button text-button" name="'; $code .= '<input type="submit" class="button text-button" name="';
$code .= htmlspecialchars($action, ENT_QUOTES) . '" '; $code .= htmlspecialchars($action, ENT_QUOTES) . '" ';
$code .= 'value="' . htmlspecialchars($desc, ENT_QUOTES) . '" />'; $code .= 'value="' . $inner . '" />';
$code .= '</form>'; $code .= '</form>';
} else { } else {
$code = '<a href="' . get_uri('/login/', true) . '">'; $code = '<a href="' . get_uri('/login/', true) . '">';
$code .= htmlspecialchars($desc) . '</a>'; $code .= $inner . '</a>';
} }
return $code; return $code;