Merge pull request #4099 from sergii-tkachenko/fix-more-reportback-xss

sergiitk · sergiitk · commit 33d20764c107 · 2015-03-03T00:24:14.000+02:00
Fix more reportback XSS vulnerabilities.
diff --git a/lib/themes/dosomething/paraneue_dosomething/templates/campaign/node--campaign--closed.tpl.php b/lib/themes/dosomething/paraneue_dosomething/templates/campaign/node--campaign--closed.tpl.php
@@ -117,7 +117,7 @@
                 <?php endif; ?>
                 <div class="figure__body">
                   <?php if (isset($reportback_gallery_item['first_name'])): ?>
-                    <h3><?php print $reportback_gallery_item['first_name']; ?></h3>
+                    <h3><?php print check_plain($reportback_gallery_item['first_name']); ?></h3>
                   <?php endif; ?>
                   <?php if (isset($reportback_gallery_item['caption'])): ?>
                     <?php print check_plain($reportback_gallery_item['caption']); ?>
diff --git a/lib/themes/dosomething/paraneue_dosomething/templates/campaign/partials/campaign-creator.tpl.php b/lib/themes/dosomething/paraneue_dosomething/templates/campaign/partials/campaign-creator.tpl.php
@@ -23,7 +23,7 @@
         <img src="<?php print $picture['src_square']; ?>" />
       </div>
       <div class="__body">
-        <h4 class="__title heading -delta"><?php print $first_name; ?> <?php print $last_initial; ?></h4>
+        <h4 class="__title heading -delta"><?php print checl_plain($first_name); ?> <?php print $last_initial; ?></h4>
         <p class="__location"><?php print $city; ?>, <?php print $state; ?></p>
         <div class="copy"><?php print $copy; ?></div>
         <div class="form-actions">
diff --git a/lib/themes/dosomething/paraneue_dosomething/templates/reportback/reportback-permalink.tpl.php b/lib/themes/dosomething/paraneue_dosomething/templates/reportback/reportback-permalink.tpl.php
@@ -19,14 +19,15 @@
   <?php echo $copy_vars['owners_rb_subtitle'] ?>
   <?php echo $copy_vars['owners_rb_scholarship'] ?>
   <?php echo check_plain($reportback->caption) ?>
-  <?php echo $user->first_name ?>
+  <?php echo check_plain($user->first_name) ?>
 
   <h3>
   <?php echo $copy_vars['owners_rb_important'] ?>
  </h3>
-  <?php echo $reportback->why_participated ?>
+  <?php echo check_plain($reportback->why_participated) ?>
 
-  <?php echo $reportback->quantity ?> <?php echo $reportback->quantity_label ?>
+  <?php echo check_plain($reportback->quantity) ?>&nbsp;
+  <?php echo $reportback->quantity_label ?>
 
 
 
