smarty.inc.php - select_options():

- escape $val with htmlentities() (function result will/must be used unescaped later) git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1189 a1433add-5e2c-0410-b055-b7f2511e0802
2024-09-20 03:36:20 +02:00 · 2011-09-24 16:35:42 +00:00 · 2011-09-24 16:35:42 +00:00 · dc54de1657
commit dc54de1657
parent bd4889a7c2
1 changed files with 2 additions and 2 deletions
--- a/smarty.inc.php
+++ b/smarty.inc.php
@ -69,10 +69,10 @@ $smarty->assign ('authentication_has_role', array ('global_admin' => authenticat
 function select_options($aValues, $aSelected) {
    $ret_val = '';
    foreach ($aValues as $val) {
-        $ret_val .= '<option value="'.$val.'"';
+        $ret_val .= '<option value="'.htmlentities($val).'"';
        if (in_array ($val, $aSelected))
            $ret_val .= ' selected="selected"';
-        $ret_val .= '>'.$val.'</option>';
+        $ret_val .= '>'.htmlentities($val).'</option>';
    }
    return $ret_val;
 }