aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Photos.php
diff options
context:
space:
mode:
authorMario Vavti <mario@mariovavti.com>2019-03-18 13:19:24 +0100
committerMario Vavti <mario@mariovavti.com>2019-03-18 13:19:24 +0100
commita086745ec021add5638a0527d4e8e14835591e93 (patch)
tree092c099bf6c9f150bc88f966a824dd6b64cf694e /Zotlabs/Module/Photos.php
parent51156d058232969d55032f045859e46bb3a09162 (diff)
downloadvolse-hubzilla-a086745ec021add5638a0527d4e8e14835591e93.tar.gz
volse-hubzilla-a086745ec021add5638a0527d4e8e14835591e93.tar.bz2
volse-hubzilla-a086745ec021add5638a0527d4e8e14835591e93.zip
ENT_COMPAT will only take care of double-quotes. Use double-quotes here to prevent XSS
Diffstat (limited to 'Zotlabs/Module/Photos.php')
-rw-r--r--Zotlabs/Module/Photos.php4
1 files changed, 2 insertions, 2 deletions
diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php
index a761dbd14..161141c3b 100644
--- a/Zotlabs/Module/Photos.php
+++ b/Zotlabs/Module/Photos.php
@@ -848,7 +848,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme();
}
else {
- $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
+ $o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
$tpl = get_markup_template('photo_album.tpl');
$o .= replace_macros($tpl, array(
'$photos' => $photos,
@@ -1396,7 +1396,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme();
}
else {
- $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
+ $o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>';
$tpl = get_markup_template('photos_recent.tpl');
$o .= replace_macros($tpl, array(
'$title' => t('Recent Photos'),