Escape login-as strings

6398759a · Richard Mansfield · b64d6c58 · 6398759a · 6398759a
Commit 6398759a authored Mar 04, 2009 by Richard Mansfield
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

htdocs/admin/users/edit.php htdocs/admin/users/edit.php +1 -1

htdocs/user/view.php htdocs/user/view.php +1 -1

No files found.
--- a/htdocs/admin/users/edit.php
+++ b/htdocs/admin/users/edit.php
@@ -467,7 +467,7 @@ $smarty->assign('institutions', count($allinstitutions) > 1);
 $smarty->assign('institutionform', $institutionform);

 if ($id != $USER->get('id') && is_null($USER->get('parentuser'))) {
-    $loginas = get_string('loginasuser', 'admin', $user->username);
+    $loginas = get_string('loginasuser', 'admin', htmlspecialchars($user->username));
 } else {
    $loginas = null;
 }

--- a/htdocs/user/view.php
+++ b/htdocs/user/view.php
@@ -277,7 +277,7 @@ else if (!empty($loggedinid)) {
 }

 if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) {
-    $loginas = get_string('loginasuser', 'admin', $user->username);
+    $loginas = get_string('loginasuser', 'admin', htmlspecialchars($user->username));
 } else {
    $loginas = null;
 }