Commit 8cc0979a authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Security fixes from master

parent 5199dc28
......@@ -431,7 +431,7 @@ $smarty->assign('institutions', count($allinstitutions) > 1);
$smarty->assign('institutionform', $institutionform);
if ($id != $USER->get('id') && is_null($USER->get('parentuser'))) {
$loginas = get_string('loginasuser', 'admin', $user->username);
$loginas = get_string('loginasuser', 'admin', hsc($user->username));
} else {
$loginas = null;
}
......
......@@ -440,7 +440,7 @@ EOF;
if ($USER->get('parentuser')) {
$smarty->assign('USERMASQUERADING', true);
$smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', display_name($USER)));
$smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', hsc(display_name($USER))));
$smarty->assign('becomeyouagain',
' <a href="' . hsc($wwwroot) . 'admin/users/changeuser.php?restore=1">'
. get_string('becomeadminagain', 'admin', $USER->get('parentuser')->name)
......
......@@ -2,7 +2,7 @@
{include file="columnfullstart.tpl"}
<div id="edituser">
<h2><a href="{$WWWROOT}user/view.php?id={$user->id}">{$user->firstname} {$user->lastname} ({$user->username})</a></h2>
<h2><a href="{$WWWROOT}user/view.php?id={$user->id}">{$user|display_name|escape}</a></h2>
{if !empty($loginas)}
<div><a href="{$WWWROOT}admin/users/changeuser.php?id={$user->id}">{$loginas}</a></div>
{/if}
......
......@@ -26,7 +26,7 @@
{foreach from=$results.data item=r}
<tr class="{cycle values="r0,r1"}">
{foreach from=$cols key=f item=c}
<td{if (!empty($c.class))} class="{$c.class}"{/if}>{if empty($c.template)}{$r[$f]}{else}{eval var=$c.template}{/if}</td>
<td{if (!empty($c.class))} class="{$c.class}"{/if}>{if empty($c.template)}{$r[$f]|escape}{else}{eval var=$c.template}{/if}</td>
{/foreach}
</tr>
{/foreach}
......
......@@ -332,7 +332,7 @@ if ($loggedinid != $userid) {
}
if ($userid != $USER->get('id') && $USER->is_admin_for_user($user) && is_null($USER->get('parentuser'))) {
$loginas = get_string('loginasuser', 'admin', $user->username);
$loginas = get_string('loginasuser', 'admin', hsc($user->username));
} else {
$loginas = null;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment