fix XSS in forms

2024-12-07 07:12:42 -05:00 · 2024-12-07 07:12:42 -05:00 · 914350f69b
commit 914350f69b
parent d6a6ce1ffc
1 changed files with 7 additions and 7 deletions
--- a/libs/form.php
+++ b/libs/form.php
@ -2,24 +2,24 @@
    function form($title, $form_message, $inputs, $action = '') { ?>
        <form class='form' enctype="multipart/form-data" method="POST" action="<?php echo $action ?>">
            <h1 class="form-heading">
-                <?php echo $title ?>
+                <?php echo htmlspecialchars($title) ?>
            </h1>
            <span class='form-message'>
-                <?php echo $form_message ?>
+                <?php echo htmlspecialchars($form_message) ?>
            </span>
            <?php
                foreach ($inputs as $kv) { ?>
                    <span class='form-key'>
-                        <?php echo $kv['key'] ?>
+                        <?php echo htmlspecialchars($kv['key']) ?>
                    </span>
                    <<?php echo (($kv['type'] == 'textarea') ? 'textarea' : 'input') ?>
                        class='form-input' 
-                        type="<?php echo $kv['type'] ?>"
+                        type="<?php echo htmlspecialchars($kv['type']) ?>"
-                        name="<?php echo $kv['name'] ?>" 
+                        name="<?php echo htmlspecialchars($kv['name']) ?>" 
 						<?php echo ($kv['type'] == 'hidden') ? 'hidden' : ''?>
-                        value="<?php echo ($kv['type'] == 'textarea') ? '' : $kv['default'] ?>"
+                        value="<?php echo ($kv['type'] == 'textarea') ? '' : htmlspecialchars($kv['default']) ?>"
-                    ><?php echo (($kv['type'] == 'textarea') ? $kv['default'] . '</textarea>' : '') ?>
+                    ><?php echo (($kv['type'] == 'textarea') ? htmlspecialchars($kv['default']) . '</textarea>' : '') ?>
                <?php }
            ?>
            <input class='form-button' type="Submit" name="Submit">