Normalized escaping, escape $user->location just in case

author Steve Clay <steve@mrclay.org>

Tue, 5 Feb 2013 02:03:03 +0000 (21:03 -0500)

committer cash <cash.costello@gmail.com>

Sat, 9 Feb 2013 14:38:08 +0000 (09:38 -0500)
author Steve Clay <steve@mrclay.org>
Tue, 5 Feb 2013 02:03:03 +0000 (21:03 -0500)
committer cash <cash.costello@gmail.com>
Sat, 9 Feb 2013 14:38:08 +0000 (09:38 -0500)
diff --git a/engine/lib/users.php b/engine/lib/users.php

index 19f4e434d5bc6fca5fd6510bc197192eeb3c1807..4a585c07f2a60c5dd08dd75cc5eb3d0cf8ca1200 100644 (file)
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -835,7 +835,7 @@ function validate_username($username) {
         for ($n = 0; $n < strlen($blacklist2); $n++) {
                 if (strpos($username, $blacklist2[$n]) !== false) {
                         $msg = elgg_echo('registration:invalidchars', array($blacklist2[$n], $blacklist2));
-                       $msg = htmlentities($msg, ENT_COMPAT, 'UTF-8');
+                       $msg = htmlspecialchars($msg, ENT_QUOTES, 'UTF-8');
                         throw new RegistrationException($msg);
                 }
         }
@@ -1331,9 +1331,10 @@ function elgg_users_setup_entity_menu($hook, $type, $return, $params) {
         } else {
                 $return = array();
                 if (isset($entity->location)) {
+                       $location = htmlspecialchars($entity->location, ENT_QUOTES, 'UTF-8', false);
                         $options = array(
                                 'name' => 'location',
-                               'text' => "<span>$entity->location</span>",
+                               'text' => "<span>$location</span>",
                                 'href' => false,
                                 'priority' => 150,
                         );
author	Steve Clay <steve@mrclay.org>
	Tue, 5 Feb 2013 02:03:03 +0000 (21:03 -0500)
committer	cash <cash.costello@gmail.com>
	Sat, 9 Feb 2013 14:38:08 +0000 (09:38 -0500)