Do not use the addslashes output for actual HTML to prevent slashes at placed where they are seen by users

thanks to hanno
2014-12-27 09:32:21 +01:00 · 2014-12-27 09:32:21 +01:00 · b2e2298ff0
parent 9d5373f3a1
commit b2e2298ff0
1 changed files with 5 additions and 3 deletions
--- a/serendipity_event_flattr/serendipity_event_flattr.php
+++ b/serendipity_event_flattr/serendipity_event_flattr.php
@ -60,7 +60,7 @@ class serendipity_event_flattr extends serendipity_event {
            'add_to_feed',
        ));
        $propbag->add('author',  'Garvin Hicking, Joachim Breitner', 'Matthias Gutjahr');
-        $propbag->add('version', '1.12.1');
+        $propbag->add('version', '1.13');
        $propbag->add('requirements',  array(
            'serendipity' => '0.7',
            'smarty'      => '2.6.7',
@ -387,16 +387,18 @@ class serendipity_event_flattr extends serendipity_event {
                             "language=".urlencode($flattr_lng).
                             "\">" . $flattr_btn . "</a>";
                } else {
+                    $flattr_tle2 = stripslashes($flattr_tle2);
+                    $flattr_tle2 = (function_exists('serendipity_specialchars') ? serendipity_specialchars($flattr_tle2) : htmlspecialchars($flattr_tle2, ENT_COMPAT, LANG_CHARSET));
                    $flattr = "
 <a class='FlattrButton' style='display:none;'
-    title='" . $flattr_tle . "'
+    title=\"" . $flattr_tle2 . "\"
    data-flattr-uid='" . $flattr_uid . "'
    data-flattr-tags='" . $flattr_tag . "'
    data-flattr-category='" . $flattr_cat . "'
    data-flattr-language='" . $flattr_lng . "'
    href='" . $flattr_url . "'>

-    " . $flattr_dsc . "
+    " . stripslashes($flattr_dsc) . "
 </a>
    ";
                }