Merge pull request #362 from ndm2/bs5-escape-request-params

4.x - Escape request params.
FriendsOfCake · Feb 23, 2022 · e974cb5 · e974cb5
2 parents 7270778 + 831d0e2
commit e974cb5
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/templates/layout/default.php b/templates/layout/default.php
@@ -45,7 +45,7 @@
  */
 $this->prepend(
     'tb_body_attrs',
-    ' class="' . implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) . '" '
+    ' class="' . implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) . '" '
 );
 if (!$this->fetch('tb_body_start')) {
     $this->start('tb_body_start');

diff --git a/templates/layout/examples/cover.php b/templates/layout/examples/cover.php
@@ -13,7 +13,7 @@
 $this->prepend(
     'tb_body_attrs',
     'class="d-flex h-100 text-center text-white bg-dark ' .
-        implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) .
+        implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) .
         '" '
 );
 

diff --git a/templates/layout/examples/dashboard.php b/templates/layout/examples/dashboard.php
@@ -8,7 +8,7 @@
 $this->prepend(
     'tb_body_attrs',
     ' class="' .
-        implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) .
+        implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) .
         '" '
 );
 $this->start('tb_body_start');
@@ -46,7 +46,7 @@ class="navbar-toggler position-absolute d-md-none collapsed" type="button"
             <main role="main" class="col-md-9 ms-sm-auto col-lg-10 px-md-4">
                 <div class="d-flex justify-content-between flex-wrap flex-md-nowrap align-items-center
                             pt-3 pb-2 mb-3 border-bottom">
-                    <h1 class="h2 page-header"><?= $this->request->getParam('controller'); ?></h1>
+                    <h1 class="h2 page-header"><?= h($this->request->getParam('controller')) ?></h1>
                 </div>
 <?php
 /**

diff --git a/templates/layout/examples/signin.php b/templates/layout/examples/signin.php
@@ -6,7 +6,7 @@
 $this->prepend(
     'tb_body_attrs',
     ' class="text-center ' .
-    implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) .
+    implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) .
     '" '
 );
 $this->start('tb_body_start');