Merge pull request #379 from mashify/patch-1

FIX: XSS bug
esotalk · Nov 9, 2014 · 1ddf6a7 · 1ddf6a7
2 parents 62bb6f2 + 6e2eef9
commit 1ddf6a7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/lib/ETForm.class.php b/core/lib/ETForm.class.php
@@ -363,7 +363,7 @@ public function input($name, $type = "text", $attributes = array())
 
 	// If this is a textarea, make some custom HTML.
 	if ($type == "textarea") {
-		$value = $attributes["value"];
+		$value = htmlentities($attributes["value"], ENT_NOQUOTES, "UTF-8");
 		unset($attributes["value"]);
 		$input = "<textarea".$this->getAttributes($attributes).">$value</textarea>";
 	}