Properly escape the email name in the javascript function, and htmlspecialchars the name in the output

2010-02-12 18:24:22 +00:00 · 2010-02-12 18:24:22 +00:00 · 1768fffb2b
commit 1768fffb2b
parent 0f746fb914
1 changed files with 1 additions and 1 deletions
--- a/admin/communication.php
+++ b/admin/communication.php
@ -605,7 +605,7 @@ case "email_get_list":
 		if($r->name) $name=$r->name;
 		else $name=i18n("no email name specified");

-		echo "<tr><td><a href=\"#\" onclick=\"return opencommunicationeditor('$r->val',$r->id,$fcid)\">$name</a></td>";
+		echo "<tr><td><a href=\"#\" onclick=\"return opencommunicationeditor('".addslashes($r->val)."',$r->id,$fcid)\">",htmlspecialchars($name)."</a></td>";
 		echo "<td>$r->type</td>";

 		echo " <td align=\"center\">";