Bug #15595
closed
htmlspecialcharing pi_linkTP_keepPIvars_url
0%
Description
pi_linkTP_keepPIvars_url is not htmlspecialchared
changing line 357 in class.tslib_pibase.php from
return ($this->cObj->lastTypoLinkUrl);
to
return htmlspecialchars($this->cObj->lastTypoLinkUrl);
solves the problem
(issue imported from #M2522)
Updated by old_saruman over 18 years ago
hi stucki,
but this seems, that it is a blocker for xhtml vality? see:
<form action="index.php?id=21&no_cache=1" method="post" enctype="multipart/for
An entity reference was found in the document, but there is no reference by that name defined. Often this is caused by misspelling the reference name, unencoded ampersands, or by leaving off the trailing semicolon (;). The most common cause of this error is unencoded ampersands in URLs as described by the WDG in "Ampersands in URLs".
Updated by Michael Stucki over 18 years ago
Where is this form generated? If it comes from an extension, then the error must be there.
It is correct that the functions that return only the URL do not htmlspecialchar() it. However, functions that return an HTML tag (A, FORM, IMG, etc.) do have to htmlspecialchar() it.
I close this bug once again, assuming that the error lies in in an extension.
- michael