Merge pull request #79 from forkcms/fix-spoon-form-attributes-xss

carakas · web-flow · commit 8ea81341a17d · 2021-02-18T09:10:25.000+01:00
Fix xss issue with form attributes
diff --git a/spoon/form/attributes.php b/spoon/form/attributes.php
@@ -75,7 +75,7 @@ protected function getAttributesHTML(array $variables)
 			else
 			{
 				$html .= ' ' . $key;
-				if($value !== null) $html .= '="' . str_replace(array_keys($variables), array_values($variables), $value) . '"';
+				if($value !== null) $html .= '="' . Spoonfilter::htmlSpecialChars(str_replace(array_keys($variables), array_values($variables), $value)) . '"';
 			}
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ protected function getAttributesHTML(array $variables)`
`75`	`75`	`else`
`76`	`76`	`{`
`77`	`77`	`$html .= ' ' . $key;`
`78`		`- if($value !== null) $html .= '="' . str_replace(array_keys($variables), array_values($variables), $value) . '"';`
	`78`	`+ if($value !== null) $html .= '="' . Spoonfilter::htmlSpecialChars(str_replace(array_keys($variables), array_values($variables), $value)) . '"';`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`