Run p::clean() on any variables that contain data entered by users.

2026-06-20 16:39:54 -04:00 · 2009-05-31 00:11:48 -07:00
parent ad81861c33
commit 708f27f483
18 changed files with 65 additions and 55 deletions
--- a/modules/notification/views/comment_published.html.php
+++ b/modules/notification/views/comment_published.html.php
@@ -1,30 +1,34 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
  <head>
-    <title><?= $subject ?> </title>
+    <title><?= p::clean($subject) ?> </title>
  </head>
  <body>
-    <h2><?= $subject ?></h2>
+    <h2><?= p::clean($subject) ?></h2>
    <table>
      <tr>
        <td><?= t("Comment:") ?></td>
-        <td><?= $comment->text ?></td>
+        <td><?= p::clean($comment->text) ?></td>
      </tr>
      <tr>
        <td><?= t("Author Name:") ?></td>
-        <td><?= $comment->author_name() ?></td>
+        <td><?= p::clean($comment->author_name()) ?></td>
      </tr>
      <tr>
        <td><?= t("Author Email:") ?></td>
-        <td><?= $comment->author_email() ?></td>
+        <td><?= p::clean($comment->author_email()) ?></td>
      </tr>
      <tr>
        <td><?= t("Author URL:") ?></td>
-        <td><?= $comment->author_url() ?></td>
+        <td><?= p::clean($comment->author_url()) ?></td>
      </tr>
      <tr>
        <td><?= t("Url:") ?></td>
-        <td><a href="<?= $comment->item()->url(array(), true) ?>#comments"><?= $comment->item()->url(array(), true) ?>#comments</a></td>
+        <td>
+          <a href="<?= $comment->item()->url(array(), true) ?>#comments">
+            <?= $comment->item()->url(array(), true) ?>#comments
+          </a>
+        </td>
      </tr>
    </table>
  </body>