properly encode signature code
This addresses the XSS vulnerability mentioned in #3044
This commit is contained in:
parent
4e34491f07
commit
f47f9aaf20
|
@ -337,7 +337,7 @@ function tpl_metaheaders($alt = true) {
|
|||
|
||||
$script = "var NS='".$INFO['namespace']."';";
|
||||
if($conf['useacl'] && $INPUT->server->str('REMOTE_USER')) {
|
||||
$script .= "var SIG='".toolbar_signature()."';";
|
||||
$script .= "var SIG=".toolbar_signature().";";
|
||||
}
|
||||
jsinfo();
|
||||
$script .= 'var JSINFO = ' . json_encode($JSINFO).';';
|
||||
|
|
|
@ -251,7 +251,7 @@ function toolbar_signature(){
|
|||
$sig = str_replace('@MAIL@',$INFO['userinfo']['mail'],$sig);
|
||||
$sig = str_replace('@DATE@',dformat(),$sig);
|
||||
$sig = str_replace('\\\\n','\\n',addslashes($sig));
|
||||
return $sig;
|
||||
return json_encode($sig);
|
||||
}
|
||||
|
||||
//Setup VIM: ex: et ts=4 :
|
||||
|
|
Loading…
Reference in New Issue