diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-01-10 08:54:06 +0100 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-01-10 08:54:06 +0100 |
| commit | f9cb6d3520dd0b216a11829602092eaa6eeb6779 (patch) | |
| tree | 274991e3e7351e6ec62ba55643f238a7cdca1cab /app | |
| parent | 7a79717e102447f72f592fd48aa5d793bcdbf1c6 (diff) | |
HTML escape system info
regression from https://github.com/FreshRSS/FreshRSS/pull/7161
Some of the echo'ed information could have some special characters such as `<&>`, in particular `HTTP_USER_AGENT`
Diffstat (limited to 'app')
| -rw-r--r-- | app/views/index/about.phtml | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/app/views/index/about.phtml b/app/views/index/about.phtml index 3c2ccb054..70f9b6641 100644 --- a/app/views/index/about.phtml +++ b/app/views/index/about.phtml @@ -23,20 +23,20 @@ <summary><?= _t('index.about.bug_reports.environment_information') ?></summary> <dl> <dt><?= _t('index.about.bug_reports.environment_information.version_frss') ?></dt> - <dd><?= FRESHRSS_VERSION ?></dd> + <dd><?= htmlspecialchars(FRESHRSS_VERSION, ENT_NOQUOTES, 'UTF-8') ?></dd> <dt><?= _t('index.about.bug_reports.environment_information.version_php') ?></dt> - <dd><?= PHP_VERSION ?></dd> + <dd><?= htmlspecialchars(PHP_VERSION, ENT_NOQUOTES, 'UTF-8') ?></dd> <dt><?= _t('index.about.bug_reports.environment_information.database') ?></dt> - <dd><?= FreshRSS_Context::systemConf()->db['type'] ?></dd> + <dd><?= htmlspecialchars(FreshRSS_Context::systemConf()->db['type'], ENT_NOQUOTES, 'UTF-8') ?></dd> <?php $databaseDAO = FreshRSS_Factory::createDatabaseDAO(); ?> - <dd><?= $databaseDAO->version() ?></dd> + <dd><?= htmlspecialchars($databaseDAO->version(), ENT_NOQUOTES, 'UTF-8') ?></dd> <dt><?= _t('index.about.bug_reports.environment_information.server_software') ?></dt> <dd> <?= is_string($_SERVER['SERVER_SOFTWARE'] ?? null) ? $_SERVER['SERVER_SOFTWARE'] : '' ?><br /> - <?= php_uname('s') . ' ' . php_uname('r') . ' ' . php_uname('v') . ' ' . php_uname('m') ?> + <?= htmlspecialchars(php_uname('s') . ' ' . php_uname('r') . ' ' . php_uname('v') . ' ' . php_uname('m'), ENT_NOQUOTES, 'UTF-8') ?> </dd> <dt><?= _t('index.about.bug_reports.environment_information.browser') ?></dt> - <dd><?= is_string($_SERVER['HTTP_USER_AGENT'] ?? null) ? $_SERVER['HTTP_USER_AGENT'] : '' ?></dd> + <dd><?= is_string($_SERVER['HTTP_USER_AGENT'] ?? null) ? htmlspecialchars($_SERVER['HTTP_USER_AGENT'], ENT_NOQUOTES, 'UTF-8') : '' ?></dd> </dl> </details> <?php } ?> |