diff options
| author | Steve Clay <steve@mrclay.org> | 2013-03-31 15:33:37 -0700 |
|---|---|---|
| committer | Steve Clay <steve@mrclay.org> | 2013-03-31 15:33:37 -0700 |
| commit | 9bbefd18fb86beff8766334459646bcb6d145d28 (patch) | |
| tree | 4bb808dc000f0dfa42f0ff1a03d6e8c421f0363a | |
| parent | 574e9aefd04a6ea75f53d20756edb6a04a31ba2b (diff) | |
| parent | 2d365ba900e40494abeb306e3a881c91e2099ba6 (diff) | |
| download | elgg-9bbefd18fb86beff8766334459646bcb6d145d28.tar.gz elgg-9bbefd18fb86beff8766334459646bcb6d145d28.tar.bz2 | |
Merge pull request #494 from mrclay/fc-plaintext
Allow friend collection names to store arbitrary plain text
| -rw-r--r-- | actions/friends/collections/add.php | 2 | ||||
| -rw-r--r-- | views/default/output/access.php | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/actions/friends/collections/add.php b/actions/friends/collections/add.php index 9dc17b37e..e63a149f7 100644 --- a/actions/friends/collections/add.php +++ b/actions/friends/collections/add.php @@ -6,7 +6,7 @@ * @subpackage Friends.Collections */ -$collection_name = get_input('collection_name'); +$collection_name = htmlspecialchars(get_input('collection_name', '', false), ENT_QUOTES, 'UTF-8'); $friends = get_input('friends_collection'); if (!$collection_name) { diff --git a/views/default/output/access.php b/views/default/output/access.php index 91c5c721e..5c8d62c4d 100644 --- a/views/default/output/access.php +++ b/views/default/output/access.php @@ -11,7 +11,7 @@ if (isset($vars['entity']) && elgg_instanceof($vars['entity'])) { $access_id = $vars['entity']->access_id; $access_class = 'elgg-access'; $access_id_string = get_readable_access_level($access_id); - $access_id_string = htmlentities($access_id_string, ENT_QUOTES, 'UTF-8'); + $access_id_string = htmlspecialchars($access_id_string, ENT_QUOTES, 'UTF-8', false); // if within a group or shared access collection display group name and open/closed membership status // @todo have a better way to do this instead of checking against subtype / class. |