From 17d6bd620d5b4712ca01f5318170384804004a9e Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Mon, 4 Feb 2013 21:03:03 -0500
Subject: Normalized escaping, escape $user->location just in case

---
 engine/lib/users.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'engine/lib')

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 19f4e434d..4a585c07f 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -835,7 +835,7 @@ function validate_username($username) {
 	for ($n = 0; $n < strlen($blacklist2); $n++) {
 		if (strpos($username, $blacklist2[$n]) !== false) {
 			$msg = elgg_echo('registration:invalidchars', array($blacklist2[$n], $blacklist2));
-			$msg = htmlentities($msg, ENT_COMPAT, 'UTF-8');
+			$msg = htmlspecialchars($msg, ENT_QUOTES, 'UTF-8');
 			throw new RegistrationException($msg);
 		}
 	}
@@ -1331,9 +1331,10 @@ function elgg_users_setup_entity_menu($hook, $type, $return, $params) {
 	} else {
 		$return = array();
 		if (isset($entity->location)) {
+			$location = htmlspecialchars($entity->location, ENT_QUOTES, 'UTF-8', false);
 			$options = array(
 				'name' => 'location',
-				'text' => "<span>$entity->location</span>",
+				'text' => "<span>$location</span>",
 				'href' => false,
 				'priority' => 150,
 			);
-- 
cgit v1.2.3