diff options
-rwxr-xr-x | ChangeLog | 1 | ||||
-rw-r--r-- | main.php | 2 | ||||
-rw-r--r-- | themes.php | 10 |
3 files changed, 7 insertions, 6 deletions
@@ -10,6 +10,7 @@ $Source$ #1013787). * libraries/display_export.lib.php: Updated texts to fit Excel 2003 behaviour (bug #1018457). + * main.php, themes.php: Escape theme names (bug #1016608). 2004-09-01 Marc Delisle <lem9@users.sourceforge.net> * libraries/auth/cookie.auth.lib.php: bug 939531: when people upgrade @@ -631,7 +631,7 @@ if (isset($available_themes_choices) && $available_themes_choices > 1) { if ($cur_theme == $theme) { echo ' selected="selected"'; } - echo '>' . $available_themes_choices_names[$cur_theme] . '</option>'; + echo '>' . htmlspecialchars($available_themes_choices_names[$cur_theme]) . '</option>'; } ?> </select> diff --git a/themes.php b/themes.php index ae85f1a69c..a210a67439 100644 --- a/themes.php +++ b/themes.php @@ -106,7 +106,7 @@ if ($handleThemes = opendir($path_to_themes)) { // open themes <tr> <th align="left"> <?php - echo '<b>' . $theme_name . '</b>'; + echo '<b>' . htmlspecialchars($theme_name) . '</b>'; ?> </th> </tr> @@ -119,17 +119,17 @@ if ($handleThemes = opendir($path_to_themes)) { // open themes if (document.getElementById) { document.write('style="border: 1px solid #000000;" '); } - document.write('alt="<?php echo $theme_name; ?> - Theme" '); - document.write('title="<?php echo $theme_name; ?> - Theme" />'); + document.write('alt="<?php echo htmlspecialchars(addslashes($theme_name)); ?> - Theme" '); + document.write('title="<?php echo htmlspecialchars(addslashes($theme_name)); ?> - Theme" />'); document.write('</a><br />'); document.write('[ <b><a href="#top" onclick="takeThis(\'<?php echo $PMA_Theme; ?>\'); return false;">'); - document.write('<?php echo (isset($strTakeIt) ? addslashes($strTakeIt) : 'take it'); ?>'); + document.write('<?php echo addslashes($strTakeIt); ?>'); document.write('</a></b> ]'); //--> </script> <noscript> <?php - echo '<img src="' . $screen_directory . '/screen.png" border="1" alt="' . $theme_name . ' - Theme" />'; + echo '<img src="' . $screen_directory . '/screen.png" border="1" alt="' . htmlspecialchars($theme_name) . ' - Theme" />'; ?> </noscript> </td> |