diff options
author | Christian Schmidt <github@chsc.dk> | 2018-04-23 06:01:28 +0300 |
---|---|---|
committer | Matthieu Aubry <mattab@users.noreply.github.com> | 2018-04-23 06:01:28 +0300 |
commit | cde2b27ec4343aaeb5a21aa39a2f10c26d7bbb02 (patch) | |
tree | 987c37386cf356689e418f3ff80fc1396970cf1f /plugins/SitesManager/API.php | |
parent | ebf902a6df433ce2cfc4b24b47b94e194f24ac37 (diff) |
Escape ampersands in URLs (#12731)
Diffstat (limited to 'plugins/SitesManager/API.php')
-rw-r--r-- | plugins/SitesManager/API.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/plugins/SitesManager/API.php b/plugins/SitesManager/API.php index a42802d4fe..560dff863a 100644 --- a/plugins/SitesManager/API.php +++ b/plugins/SitesManager/API.php @@ -167,10 +167,11 @@ class API extends \Piwik\Plugin\API */ Piwik::postEvent('SitesManager.getImageTrackingCode', array(&$piwikUrl, &$urlParams)); - $piwikUrl = (ProxyHttp::isHttps() ? "https://" : "http://") . $piwikUrl . '/piwik.php'; - return "<!-- Matomo Image Tracker--> -<img src=\"$piwikUrl?" . Url::getQueryStringFromParameters($urlParams) . "\" style=\"border:0\" alt=\"\" /> + $url = (ProxyHttp::isHttps() ? "https://" : "http://") . $piwikUrl . '/piwik.php?' . Url::getQueryStringFromParameters($urlParams); + $html = "<!-- Matomo Image Tracker--> +<img src=\"" . htmlspecialchars($url, ENT_COMPAT, 'UTF-8') . "\" style=\"border:0\" alt=\"\" /> <!-- End Matomo -->"; + return htmlspecialchars($html, ENT_COMPAT, 'UTF-8'); } /** |