[aur-dev] [PATCH] Fix duplicate escaping of action links

Fri, 11 Sep 2015 13:17:02 -0700 

The __() helper function already escapes HTML special characters. Do not
escape them again in html_action_*().

Fixes FS#45780.

Signed-off-by: Lukas Fleischer <[email protected]>
---
 web/lib/aur.inc.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 9997535..7d65913 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -225,18 +225,18 @@ function html_format_maintainers($maintainer, 
$comaintainers) {
  * Format a link in the package actions box
  *
  * @param string $uri The link target
- * @param string $desc The link label
+ * @param string $inner The HTML code to use for the link label
  *
  * @return string The generated HTML code for the action link
  */
-function html_action_link($uri, $desc) {
+function html_action_link($uri, $inner) {
        if (isset($_COOKIE["AURSID"])) {
                $code = '<a href="' . htmlspecialchars($uri, ENT_QUOTES) . '">';
        } else {
                $code = '<a href="' . get_uri('/login/', true) . '?referer=';
                $code .= urlencode(rtrim(aur_location(), '/') . $uri) . '">';
        }
-       $code .= htmlspecialchars($desc) . '</a>';
+       $code .= $inner . '</a>';
 
        return $code;
 }
@@ -246,11 +246,11 @@ function html_action_link($uri, $desc) {
  *
  * @param string $uri The link target
  * @param string $action The action name (passed as HTTP POST parameter)
- * @param string $desc The link label
+ * @param string $inner The HTML code to use for the link label
  *
  * @return string The generated HTML code for the action link
  */
-function html_action_form($uri, $action, $desc) {
+function html_action_form($uri, $action, $inner) {
        if (isset($_COOKIE["AURSID"])) {
                $code = '<form action="' . htmlspecialchars($uri, ENT_QUOTES) . 
'" ';
                $code .= 'method="post">';
@@ -258,11 +258,11 @@ function html_action_form($uri, $action, $desc) {
                $code .= htmlspecialchars($_COOKIE['AURSID'], ENT_QUOTES) . '" 
/>';
                $code .= '<input type="submit" class="button text-button" 
name="';
                $code .= htmlspecialchars($action, ENT_QUOTES) . '" ';
-               $code .= 'value="' . htmlspecialchars($desc, ENT_QUOTES) . '" 
/>';
+               $code .= 'value="' . $inner . '" />';
                $code .= '</form>';
        } else {
                $code = '<a href="' . get_uri('/login/', true) . '">';
-               $code .= htmlspecialchars($desc) . '</a>';
+               $code .= $inner . '</a>';
        }
 
        return $code;
-- 
2.5.1

Reply via email to