Skip to content

Commit 8a81581

Browse files
authored
Merge pull request #80 from 418sec/1-packagist-spoon/library
Security Fix for XSS in Spoon form types hidden, date and time - huntr.dev
2 parents 60d09f4 + a8bfbb4 commit 8a81581

File tree

5 files changed

+5
-5
lines changed

5 files changed

+5
-5
lines changed

spoon/form/date.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -377,7 +377,7 @@ public function parse($template = null)
377377
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a date field. Please provide a valid name.');
378378

379379
// start html generation
380-
$output = '<input type="text" value="' . $this->getValue() . '"';
380+
$output = '<input type="text" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
381381

382382
// add attributes
383383
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';

spoon/form/hidden.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ public function isFilled()
109109
public function parse($template = null)
110110
{
111111
// start html generation
112-
$output = '<input type="hidden" value="' . $this->getValue() . '"';
112+
$output = '<input type="hidden" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
113113

114114
// build attributes
115115
$attributes = array();

spoon/form/password.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -273,7 +273,7 @@ public function parse($template = null)
273273
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a password field. Please provide a name.');
274274

275275
// start html generation
276-
$output = '<input type="password" value="' . str_replace(array('"', '<', '>'), array('&quot;', '&lt;', '&gt;'), $this->getValue()) . '"';
276+
$output = '<input type="password" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
277277

278278
// add attributes
279279
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';

spoon/form/text.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -788,7 +788,7 @@ public function parse($template = null)
788788
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a textfield. Please provide a name.');
789789

790790
// start html generation
791-
$output = '<input value="' . str_replace(array('"', '<', '>'), array('&quot;', '&lt;', '&gt;'), $this->getValue()) . '"';
791+
$output = '<input value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
792792

793793
// add attributes
794794
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';

spoon/form/time.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -216,7 +216,7 @@ public function parse($template = null)
216216
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a time field. Please provide a name.');
217217

218218
// start html generation
219-
$output = '<input type="text" value="' . $this->getValue() . '"';
219+
$output = '<input type="text" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
220220

221221
// add attributes
222222
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';

0 commit comments

Comments
 (0)