1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
From: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon, 14 Dec 2015 09:27:09 -0500
Subject: Escape form value.
Even though this is a numeric field, this isn't enforced until
the form is submitted.
(Adapted from upstream 11d74fa5a22fe626c5e5a010b703cd46a136f253)
diff --git a/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php b/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php
index 62ae559..580dc27 100644
--- a/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php
+++ b/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php
@@ -48,7 +48,7 @@ class Horde_Core_Ui_VarRenderer_Html extends Horde_Core_Ui_VarRenderer
return sprintf('<input type="text" size="5" name="%s" id="%s" value="%s"%s />',
htmlspecialchars($var->getVarName()),
$this->_genID($var->getVarName(), false),
- $value,
+ htmlspecialchars($value),
$this->_getActionScripts($form, $var)
);
}
--
2.7.0
|
