diff options
| author | Marc Delisle <marc@infomarc.info> | 2011-09-09 21:12:24 +0400 |
|---|---|---|
| committer | Marc Delisle <marc@infomarc.info> | 2011-09-09 21:12:24 +0400 |
| commit | 68cb87a81829581e7457c4a8a6fe6b85ef663834 (patch) | |
| tree | 6b72dcb6c3ab73135ab253730561a915fb11cb70 /tbl_chart.php | |
| parent | 85fc658f3146d245d88d29085f98c62e686eee13 (diff) | |
Escape HTML in column names and values before json_encode()
Diffstat (limited to 'tbl_chart.php')
| -rw-r--r-- | tbl_chart.php | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/tbl_chart.php b/tbl_chart.php index 8caa38e609..43de35144b 100644 --- a/tbl_chart.php +++ b/tbl_chart.php @@ -130,14 +130,25 @@ url_query = '<?php echo $url_query;?>'; </div> <div style="float:left; padding-left:40px;"> <?php echo __('X-Axis label:'); ?> <input style="margin-top:0;" type="text" name="xaxis_label" - value="<?php echo ($yaxis == -1) ? __('X Values') : $keys[$yaxis]; ?>"><br /> + value="<?php echo ($yaxis == -1) ? __('X Values') : htmlspecialchars($keys[$yaxis]); ?>"><br /> <?php echo __('Y-Axis label:'); ?> <input type="text" name="yaxis_label" value="<?php echo __('Y Values'); ?>"> </div> <p style="clear:both;"> </p> <div id="resizer" style="width:600px; height:400px;"> <div id="inner-resizer"> <div id="querychart" style="display:none;"> - <?php echo json_encode($data); ?> +<?php +$sanitized_data = array(); +foreach ($data as $data_row_number => $data_row) { + $tmp_row = array(); + foreach ($data_row as $data_column => $data_value) { + $tmp_row[htmlspecialchars($data_column)] = htmlspecialchars($data_value); + } + $sanitized_data[] = $tmp_row; +} +echo json_encode($sanitized_data); +unset($sanitized_data); +?> </div> </div> </div> |