Merge pull request #2845 from heavygale/patch-1

htmlspecialchars for value attributes in admin gui
2019-08-10 19:49:08 +02:00
parent 03259d66bb 2d74d81cb1
commit 0b5afc253d
1 changed files with 7 additions and 7 deletions
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -679,13 +679,13 @@ $tfa_data = get_tfa();
            <div class="col-sm-6">
              <div class="form-group">
                <label for="sender"><?=$lang['admin']['quarantine_notification_sender'];?>:</label>
-                <input type="text" class="form-control" name="sender" value="<?=$q_data['sender'];?>" placeholder="quarantine@localhost">
+                <input type="text" class="form-control" name="sender" value="<?=htmlspecialchars($q_data['sender']);?>" placeholder="quarantine@localhost">
              </div>
            </div>
            <div class="col-sm-6">
              <div class="form-group">
                <label for="subject"><?=$lang['admin']['quarantine_notification_subject'];?>:</label>
-                <input type="text" class="form-control" name="subject" value="<?=$q_data['subject'];?>" placeholder="Spam Quarantine Notification">
+                <input type="text" class="form-control" name="subject" value="<?=htmlspecialchars($q_data['subject']);?>" placeholder="Spam Quarantine Notification">
              </div>
            </div>
          </div>
@@ -740,13 +740,13 @@ $tfa_data = get_tfa();
          <div class="col-sm-6">
            <div class="form-group">
              <label for="sender"><?=$lang['admin']['quarantine_notification_sender'];?>:</label>
-              <input type="text" class="form-control" name="sender" value="<?=$qw_data['sender'];?>" placeholder="quota-warning@localhost">
+              <input type="text" class="form-control" name="sender" value="<?=htmlspecialchars($qw_data['sender']);?>" placeholder="quota-warning@localhost">
            </div>
          </div>
          <div class="col-sm-6">
            <div class="form-group">
              <label for="subject"><?=$lang['admin']['quarantine_notification_subject'];?>:</label>
-              <input type="text" class="form-control" name="subject" value="<?=$qw_data['subject'];?>" placeholder="Quota warning">
+              <input type="text" class="form-control" name="subject" value="<?=htmlspecialchars($qw_data['subject']);?>" placeholder="Quota warning">
            </div>
          </div>
        </div>
@@ -838,11 +838,11 @@ $tfa_data = get_tfa();
                    <input type="hidden" name="active" value="0">
                    <div class="form-group">
                      <label for="desc"><?=$lang['admin']['rsetting_desc'];?>:</label>
-                      <input type="text" class="form-control" name="desc" value="<?=$rsetting_details['desc'];?>">
+                      <input type="text" class="form-control" name="desc" value="<?=htmlspecialchars($rsetting_details['desc']);?>">
                    </div>
                    <div class="form-group">
                      <label for="content"><?=$lang['admin']['rsetting_content'];?>:</label>
-                      <textarea class="form-control" name="content" rows="10"><?=$rsetting_details['content'];?></textarea>
+                      <textarea class="form-control" name="content" rows="10"><?=htmlspecialchars($rsetting_details['content']);?></textarea>
                    </div>
                    <div class="form-group">
                      <label>