[fusion-commits] r2473 - trunk/widgets/Redline

[svn_fusion at osgeo.org]

Author: liuar
Date: 2011-11-30 21:44:31 -0800 (Wed, 30 Nov 2011)
New Revision: 2473

Modified:
   trunk/widgets/Redline/editmarkup.php
Log:
Fix ticket #496 There is no code injection prevention in redline name.

Modified: trunk/widgets/Redline/editmarkup.php
===================================================================
--- trunk/widgets/Redline/editmarkup.php	2011-11-30 02:55:41 UTC (rev 2472)
+++ trunk/widgets/Redline/editmarkup.php	2011-12-01 05:44:31 UTC (rev 2473)
@@ -359,7 +359,7 @@
 					$selected = 'selected';
 					foreach($markupFeatures as $markupId => $markupText) {
 				?>
-				<option value="<?= $markupId ?>" <?=$selected ?> ><?= (strlen($markupText) > 0) ? $markupText : '[no text]' ?></option> 
+				<option value="<?= $markupId ?>" <?=$selected ?> ><?= (strlen($markupText) > 0) ? htmlentities($markupText) : '[no text]' ?></option> 
 				<?php
 						$selected = ''; 
 					}