clones/friendica
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #13655 from keithhacks/escape-notification-contact-names

Browse Source 
(Security) HTML-escape notification contact names
This commit is contained in:
Hypolite Petovan
2023-11-19 23:02:15 -05:00
committed by GitHub
parent fc00bf13bf 777d0d45c6
commit 676ce83dab
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Navigation/Notifications/Entity/Notify.php
View File

@@ -134,6 +134,6 @@ class Notify extends BaseEntity
*/
public static function formatMessage(string $name, string $message): string
{
return str_replace('{0}', '<span class="contactname">' . BBCode::toPlaintext($name, false) . '</span>', htmlspecialchars($message));
return str_replace('{0}', '<span class="contactname">' . htmlspecialchars(BBCode::toPlaintext($name, false)) . '</span>', htmlspecialchars($message));
}
}