- {$introduction}
+ {$introduction|clean_text}
@@ -39,12 +39,12 @@
{foreach from=$USERFIELDS name=userfields key=key item=item}
- - {$item}
+ - {$item|escape}
{/foreach}
{if $relationship == 'pending'}
- {str tag='whymakemeyourfriend' section='group'} {$message}
+ {str tag='whymakemeyourfriend' section='group'} {$message|escape}
{$requestform}
{/if}
@@ -57,7 +57,7 @@
{if $item->description}
- {$item->description}
+ {$item->description|clean_text}
{/if}
{if $item->description && $item->artefacts}
{/if}
{if $item->artefacts}
@@ -80,7 +80,7 @@
{if $item->description}
- {$item->description}
+ {$item->description|clean_text}
{/if}
|
diff --git a/htdocs/user/view.php b/htdocs/user/view.php
index ed72e98..f128e36 100644
--- a/htdocs/user/view.php
+++ b/htdocs/user/view.php
@@ -332,7 +332,7 @@ if ($loggedinid != $userid) {
}
if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) {
- $loginas = get_string('loginasuser', 'admin', $user->username);
+ $loginas = get_string('loginasuser', 'admin', hsc($user->username));
} else {
$loginas = null;
}
diff --git a/htdocs/view/artefact.php b/htdocs/view/artefact.php
index 9094632..8559742 100644
--- a/htdocs/view/artefact.php
+++ b/htdocs/view/artefact.php
@@ -87,13 +87,13 @@ $artefactpath[] = array(
'title' => $artefact->display_title(),
);
-$heading = '
' . hsc($view->get('title')) . ' ' . get_string('by', 'view') . '
' . $view->formatted_owner() . '';
+$heading = '
' . hsc($view->get('title')) . ' ' . get_string('by', 'view') . '
' . hsc($view->formatted_owner()) . '';
foreach ($artefactpath as $item) {
if (empty($item['url'])) {
- $heading .= ': ' . $item['title'];
+ $heading .= ': ' . hsc($item['title']);
}
else {
- $heading .= ':
' . $item['title'] . '';
+ $heading .= ':
' . hsc($item['title']) . '';
}
}
diff --git a/htdocs/view/view.php b/htdocs/view/view.php
index ebe6fde..4113f28 100644
--- a/htdocs/view/view.php
+++ b/htdocs/view/view.php
@@ -49,7 +49,7 @@ if ($new) {
else {
$heading = '
' . hsc($view->get('title')) . '';
}
-$heading .= ' ' . get_string('by', 'view') . '
' . $view->formatted_owner() . '';
+$heading .= ' ' . get_string('by', 'view') . '
' . hsc($view->formatted_owner()) . '';
$tutorfilefeedbackformrow = '';