Sanitizing user input

diff --git a/apps/gallery/lib/tiles.php b/apps/gallery/lib/tiles.php
index e43c99bb76a0cee7bd879d4c9e6d22f9deb19135..5837c752ef66bd9de338d77ab6ea059d653083da 100644 (file)
--- a/apps/gallery/lib/tiles.php
+++ b/apps/gallery/lib/tiles.php
@@ -141,7 +141,7 @@ class TileStack extends TileBase {
        }
 
        public function get() {
-               $r = '<div class="title gallery_div">'.$this->stack_name.'</div>';
+               $r = '<div class="title gallery_div">'.htmlentities($this->stack_name).'</div>';
                for ($i = 0; $i < count($this->tiles_array); $i++) {
                        $top = rand(-5, 5);
                        $left = rand(-5, 5);
@@ -168,7 +168,7 @@ class TileStack extends TileBase {
        }
        
        public function getOnClickAction() {
-               return 'javascript:openNewGal(\''.$this->stack_name.'\');';
+               return 'javascript:openNewGal(\''.htmlentities($this->stack_name).'\');';
        }
 
        private $tiles_array;

diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php
index fd83490d60cac9401f69d417a71e350ea81d029c..f9926045498e029f8427c584ab13f412e8d9e6f0 100644 (file)
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -14,7 +14,7 @@ div.visible { opacity: 0.8;}
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo $root; ?>";
+var root = "<?php echo htmlentities($root); ?>";
 
 function explode(element) {
        $('div', element).each(function(index, elem) {