BugFix [master] - messages class escape more text automatically (#2612)

because we are using javascript to populate the messages list we need to make sure all special chars are escaped or line feeds will cause problems
2026-01-04 18:53:49 +00:00 · 2017-05-30 20:44:51 +01:00
parent 4167d11ac0
commit f2e1fa6290
1 changed files with 2 additions and 2 deletions
--- a/resources/classes/messages.php
+++ b/resources/classes/messages.php
@@ -39,7 +39,7 @@ if (!class_exists('messages')) {
 				$message_mood = $_SESSION['message_mood'] ?: 'default';
 				$message_delay = $_SESSION['message_delay'];

-				$html .= "display_message('".$message_text."', '".$message_mood."'";
+				$html .= "display_message('".str_replace(array("\r\n", "\n", "\r"),'\\n', htmlspecialchars($message_text))."', '".$message_mood."'";
 				if ($message_delay != '') {
 					$html .= ", '".$message_delay."'";
 				}
@@ -51,7 +51,7 @@ if (!class_exists('messages')) {
 					$message_mood = $message['mood'] ?: 'default';
 					$message_delay = $message['delay'];

-					$html .= "display_message('".$message_text."', '".$message_mood."'";
+					$html .= "display_message('".str_replace(array("\r\n", "\n", "\r"),'\\n', htmlspecialchars($message_text))."', '".$message_mood."'";
 					if ($message_delay != '') {
 						$html .= ", '".$message_delay."'";
 					}