fix: strip tags in comments

thorsten · Feb 14, 2023 · 128ef85 · 128ef85
1 parent ae6c1d8
commit 128ef85
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/phpmyfaq/ajaxservice.php b/phpmyfaq/ajaxservice.php
@@ -200,7 +200,7 @@
                 ->setType($type)
                 ->setUsername($username)
                 ->setEmail($mailer)
-                ->setComment(nl2br($comment))
+                ->setComment(nl2br(strip_tags($comment)))
                 ->setDate($_SERVER['REQUEST_TIME']);
 
             if ($oComment->addComment($commentEntity)) {

diff --git a/phpmyfaq/src/phpMyFAQ/Comments.php b/phpmyfaq/src/phpMyFAQ/Comments.php
@@ -83,7 +83,7 @@ public function getComments(int $id, string $type): string
             $output .= sprintf(
                 '<strong><a href="mailto:%s">%s</a></strong>',
                 $mail->safeEmail($item->getEmail()),
-                $item->getUsername()
+                Strings::htmlentities($item->getUsername())
             );
             $output .= sprintf(' <span class="text-muted">(%s)</span>', $date->format($item->getDate()));
             $output .= '     </div>';