Add some basic sanitization

Better to be safe than sorry ;)
author: Lukas Reschke <lukas@owncloud.com> 2014-10-17 10:35:24 +0200
committer: Lukas Reschke <lukas@owncloud.com> 2014-10-17 10:39:35 +0200
commit: 479424a4590ce99235fe5741828f90926bda4487 (patch)
tree: 61dd6a307d3aad15f3cc1ac4150bc4aaf829b9f8 /settings/templates
parent: 04323fbc19524926973550cc2aa0ab0331a4ca0a (diff)
download: nextcloud-server-479424a4590ce99235fe5741828f90926bda4487.tar.gz
nextcloud-server-479424a4590ce99235fe5741828f90926bda4487.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/settings/templates/personal.php b/settings/templates/personal.php
index b3a26acdb69..cc04de5ec38 100644
--- a/settings/templates/personal.php
+++ b/settings/templates/personal.php
@@ -13,7 +13,7 @@
 		if (isset($form['anchor'])) {
 			$anchor = '#' . $form['anchor'];
 			$sectionName = $form['section-name'];
-			print_unescaped("<li><a href='$anchor'>$sectionName</a></li>");
+			print_unescaped(sprintf("<li><a href='%s'>%s</a></li>", OC_Util::sanitizeHTML($anchor), OC_Util::sanitizeHTML($sectionName)));
 		}
 	}?>
 	</ul>
@@ -165,7 +165,7 @@ if($_['passwordChangeSupported']) {
 
 <?php foreach($_['forms'] as $form) {
 	if (isset($form['form'])) {?>
-	<div id="<?php isset($form['anchor']) ? print_unescaped($form['anchor']) : p('');?>"><?php print_unescaped($form['form']);?></div>
+	<div id="<?php isset($form['anchor']) ? p($form['anchor']) : p('');?>"><?php print_unescaped($form['form']);?></div>
 	<?php }
 };?>
author	Lukas Reschke <lukas@owncloud.com>	2014-10-17 10:35:24 +0200
committer	Lukas Reschke <lukas@owncloud.com>	2014-10-17 10:39:35 +0200
commit	479424a4590ce99235fe5741828f90926bda4487 (patch)
tree	61dd6a307d3aad15f3cc1ac4150bc4aaf829b9f8 /settings/templates
parent	04323fbc19524926973550cc2aa0ab0331a4ca0a (diff)
download	nextcloud-server-479424a4590ce99235fe5741828f90926bda4487.tar.gz nextcloud-server-479424a4590ce99235fe5741828f90926bda4487.zip