Merge pull request #1148 from warcooft/patch-escape-string

fix: escape string to prevent XSS attack

Author: datamweb

src/Views/email_2fa_show.php

@@ -12,7 +12,7 @@
             <p><?= lang('Auth.confirmEmailAddress') ?></p>
 
             <?php if (session('error')) : ?>
-                <div class="alert alert-danger"><?= session('error') ?></div>
+                <div class="alert alert-danger"><?= esc(session('error')) ?></div>
             <?php endif ?>
 
             <form action="<?= url_to('auth-action-handle') ?>" method="post">

src/Views/email_2fa_verify.php

@@ -12,7 +12,7 @@
             <p><?= lang('Auth.emailConfirmCode') ?></p>
 
             <?php if (session('error') !== null) : ?>
-            <div class="alert alert-danger"><?= session('error') ?></div>
+            <div class="alert alert-danger"><?= esc(session('error')) ?></div>
             <?php endif ?>
 
             <form action="<?= url_to('auth-action-verify') ?>" method="post">

src/Views/email_activate_show.php

@@ -10,7 +10,7 @@
             <h5 class="card-title mb-5"><?= lang('Auth.emailActivateTitle') ?></h5>
 
             <?php if (session('error')) : ?>
-                <div class="alert alert-danger"><?= session('error') ?></div>
+                <div class="alert alert-danger"><?= esc(session('error')) ?></div>
             <?php endif ?>
 
             <p><?= lang('Auth.emailActivateBody') ?></p>

src/Views/login.php

@@ -10,22 +10,22 @@
                 <h5 class="card-title mb-5"><?= lang('Auth.login') ?></h5>
 
                 <?php if (session('error') !== null) : ?>
-                    <div class="alert alert-danger" role="alert"><?= session('error') ?></div>
+                    <div class="alert alert-danger" role="alert"><?= esc(session('error')) ?></div>
                 <?php elseif (session('errors') !== null) : ?>
                     <div class="alert alert-danger" role="alert">
                         <?php if (is_array(session('errors'))) : ?>
                             <?php foreach (session('errors') as $error) : ?>
-                                <?= $error ?>
+                                <?= esc($error) ?>
                                 <br>
                             <?php endforeach ?>
                         <?php else : ?>
-                            <?= session('errors') ?>
+                            <?= esc(session('errors')) ?>
                         <?php endif ?>
                     </div>
                 <?php endif ?>
 
                 <?php if (session('message') !== null) : ?>
-                <div class="alert alert-success" role="alert"><?= session('message') ?></div>
+                    <div class="alert alert-success" role="alert"><?= esc(session('message')) ?></div>
                 <?php endif ?>
 
                 <form action="<?= url_to('login') ?>" method="post">

src/Views/register.php

@@ -10,16 +10,16 @@
                 <h5 class="card-title mb-5"><?= lang('Auth.register') ?></h5>
 
                 <?php if (session('error') !== null) : ?>
-                    <div class="alert alert-danger" role="alert"><?= session('error') ?></div>
+                    <div class="alert alert-danger" role="alert"><?= esc(session('error')) ?></div>
                 <?php elseif (session('errors') !== null) : ?>
                     <div class="alert alert-danger" role="alert">
                         <?php if (is_array(session('errors'))) : ?>
                             <?php foreach (session('errors') as $error) : ?>
-                                <?= $error ?>
+                                <?= esc($error) ?>
                                 <br>
                             <?php endforeach ?>
                         <?php else : ?>
-                            <?= session('errors') ?>
+                            <?= esc(session('errors')) ?>
                         <?php endif ?>
                     </div>
                 <?php endif ?>