Allow friend collection names to store arbitrary plain text

diff --git a/actions/friends/collections/add.php b/actions/friends/collections/add.php
index 9dc17b37ec465e8b31b33f1aa52c17e7fc46b3a2..e63a149f758f3200b55435e5bac0d910f702b802 100644 (file)
--- a/actions/friends/collections/add.php
+++ b/actions/friends/collections/add.php
@@ -6,7 +6,7 @@
  * @subpackage Friends.Collections
  */
 
-$collection_name = get_input('collection_name');
+$collection_name = htmlspecialchars(get_input('collection_name', '', false), ENT_QUOTES, 'UTF-8');
 $friends = get_input('friends_collection');
 
 if (!$collection_name) {

diff --git a/views/default/output/access.php b/views/default/output/access.php
index 91c5c721e79698b74ac6d5131a1b1691c2aa651c..5c8d62c4d9891934cdee2694d97a00c7c44df216 100644 (file)
--- a/views/default/output/access.php
+++ b/views/default/output/access.php
@@ -11,7 +11,7 @@ if (isset($vars['entity']) && elgg_instanceof($vars['entity'])) {
        $access_id = $vars['entity']->access_id;
        $access_class = 'elgg-access';
        $access_id_string = get_readable_access_level($access_id);
-       $access_id_string = htmlentities($access_id_string, ENT_QUOTES, 'UTF-8');
+       $access_id_string = htmlspecialchars($access_id_string, ENT_QUOTES, 'UTF-8', false);
 
        // if within a group or shared access collection display group name and open/closed membership status
        // @todo have a better way to do this instead of checking against subtype / class.