properly escape comment links

2025-12-19 07:31:29 +00:00 · 2012-10-22 01:22:44 +04:00
parent 5c56897349
commit 6e577ba157
2 changed files with 6 additions and 6 deletions
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -633,14 +633,14 @@ class Feeds extends Handler_Protected {
 					if ($num_comments > 0) {
 						if ($line["comments"]) {
-							$comments_url = $line["comments"];
+							$comments_url = htmlspecialchars($line["comments"]);
 						} else {
-							$comments_url = $line["link"];
+							$comments_url = htmlspecialchars($line["link"]);
 						}
 						$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
 					} else {
 						if ($line["comments"] && $line["link"] != $line["comments"]) {
-							$entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+							$entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
 						}
 					}
--- a/include/functions.php
+++ b/include/functions.php
@@ -3352,14 +3352,14 @@
 			if ($num_comments > 0) {
 				if ($line["comments"]) {
-					$comments_url = $line["comments"];
+					$comments_url = htmlspecialchars($line["comments"]);
 				} else {
-					$comments_url = $line["link"];
+					$comments_url = htmlspecialchars($line["link"]);
 				}
 				$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
 			} else {
 				if ($line["comments"] && $line["link"] != $line["comments"]) {
-					$entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+					$entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
 				}
 			}