arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

Add htmlspecialchars to project title output on winners page to prevent XSS attacks

Browse Source
This commit is contained in:
james 2013-03-10 21:28:31 +00:00
parent 529491456c
commit f4e0048df8
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
winners.php
View File

@ -151,7 +151,7 @@ if($_GET['year'] && $_GET['type']) {
if($pr->projectnumber) if($pr->projectnumber)
{ {
echo "&nbsp   "; echo "&nbsp   ";
echo "($pr->projectnumber) $pr->title"; echo "($pr->projectnumber) ".htmlspecialchars($pr->title);
$sq=mysql_query("SELECT students.firstname, $sq=mysql_query("SELECT students.firstname,
students.lastname, students.lastname,
@ -198,9 +198,9 @@ if($_GET['year'] && $_GET['type']) {
echo "&nbsp   "; echo "&nbsp   ";
echo "&nbsp   "; echo "&nbsp   ";
if($studnum > 1) if($studnum > 1)
echo i18n("Students").": $students"; echo i18n("Students").": ".htmlspecialchars($students);
else else
echo i18n("Student").": $students"; echo i18n("Student").": ".htmlspecialchars($students);
echo "<br />"; echo "<br />";
echo "&nbsp&nbsp;&nbsp;&nbsp;"; echo "&nbsp&nbsp;&nbsp;&nbsp;";