Properly escape passwords in the account edit form

Message ID 20200227154939.106533-1-lfleischer@archlinux.org
State New
Headers show
Series
  • Properly escape passwords in the account edit form
Related show

Commit Message

Lukas Fleischer Feb. 27, 2020, 3:49 p.m. UTC
Addresses FS#65639.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
Our live setup at aur.archlinux.org is already patched.

 web/template/account_edit_form.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index a4ea994..4ce6b87 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -157,12 +157,12 @@ 
 		<legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend>
 		<p>
 			<label for="id_passwd1"><?= __("Password") ?>:</label>
-			<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
+			<input type="password" size="30" name="P" id="id_passwd1" value="<?= htmlspecialchars($P, ENT_QUOTES) ?>" />
 		</p>
 
 		<p>
 			<label for="id_passwd2"><?= __("Re-type password") ?>:</label>
-			<input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" />
+			<input type="password" size="30" name="C" id="id_passwd2" value="<?= htmlspecialchars($C, ENT_QUOTES) ?>" />
 		</p>
 	</fieldset>
 	<?php endif; ?>