From 35f72449a09c0db4300dd6d1ff801609dfea86b1 Mon Sep 17 00:00:00 2001
From: Robert Lyon <robertl@catalyst.net.nz>
Date: Thu, 28 Sep 2017 14:07:40 +1300
Subject: [PATCH] Bug 1720034: Journal/Journal post title not being escaped in
 delete button

behatnotneeded

Change-Id: I6f0c82a74e0d60614230aac1d4fc3884eae387a5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit c367be4d30e4b0dd45cd76373b19c7393f7809ee)
(cherry picked from commit 465b7df21db3c4cb2780475d46ec77bcebda8831)
---
 htdocs/artefact/blog/lib.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/artefact/blog/lib.php b/htdocs/artefact/blog/lib.php
index c904f3e143..c473c05825 100644
--- a/htdocs/artefact/blog/lib.php
+++ b/htdocs/artefact/blog/lib.php
@@ -520,7 +520,7 @@ class ArtefactTypeBlog extends ArtefactType {
         global $THEME;
 
         $confirm = get_string('deleteblog?', 'artefact.blog');
-
+        $title = hsc($title);
         // Check if this blog has posts.
         $postcnt = count_records_sql("
             SELECT COUNT(*)
@@ -1133,6 +1133,7 @@ class ArtefactTypeBlogPost extends ArtefactType {
             $post = new ArtefactTypeBlogPost($id);
             $published = $post->published;
         }
+        $title = hsc($title);
         if ($published) {
             $strchangepoststatus = '<span class="icon icon-times icon-lg left text-danger" role="presentation" aria-hidden="true"></span> ' .get_string('unpublish', 'artefact.blog');
         }
@@ -1164,6 +1165,7 @@ class ArtefactTypeBlogPost extends ArtefactType {
     }
 
     public static function delete_form($id, $title = '') {
+        $title = hsc($title);
         global $THEME;
         return pieform(array(
             'name' => 'delete_' . $id,
-- 
GitLab