diff options
| author | Mario Vavti <mario@mariovavti.com> | 2019-03-18 13:19:24 +0100 |
|---|---|---|
| committer | Mario Vavti <mario@mariovavti.com> | 2019-03-18 13:19:24 +0100 |
| commit | a086745ec021add5638a0527d4e8e14835591e93 (patch) | |
| tree | 092c099bf6c9f150bc88f966a824dd6b64cf694e /Zotlabs/Module/Photos.php | |
| parent | 51156d058232969d55032f045859e46bb3a09162 (diff) | |
| download | volse-hubzilla-a086745ec021add5638a0527d4e8e14835591e93.tar.gz volse-hubzilla-a086745ec021add5638a0527d4e8e14835591e93.tar.bz2 volse-hubzilla-a086745ec021add5638a0527d4e8e14835591e93.zip | |
ENT_COMPAT will only take care of double-quotes. Use double-quotes here to prevent XSS
Diffstat (limited to 'Zotlabs/Module/Photos.php')
| -rw-r--r-- | Zotlabs/Module/Photos.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php index a761dbd14..161141c3b 100644 --- a/Zotlabs/Module/Photos.php +++ b/Zotlabs/Module/Photos.php @@ -848,7 +848,7 @@ class Photos extends \Zotlabs\Web\Controller { killme(); } else { - $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; + $o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>'; $tpl = get_markup_template('photo_album.tpl'); $o .= replace_macros($tpl, array( '$photos' => $photos, @@ -1396,7 +1396,7 @@ class Photos extends \Zotlabs\Web\Controller { killme(); } else { - $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; + $o .= '<script>var page_query = "' . escape_tags($_GET['q']) . '"; var extra_args = "' . extra_query_args() . '";</script>'; $tpl = get_markup_template('photos_recent.tpl'); $o .= replace_macros($tpl, array( '$title' => t('Recent Photos'), |