Another fix for CVE-2020-35132 - closes #137, missed from #130

leenooks · leenooks · commit 1650d6a9211e · 2023-04-02T00:25:47.000+11:00
diff --git a/lib/PageRender.php b/lib/PageRender.php
@@ -556,7 +556,7 @@ protected function drawOldValuesAttribute($attribute) {
 	final protected function drawOldValueAttribute($attribute,$i) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
-		echo $attribute->getOldValue($i);
+		echo htmlspecialchars($attribute->getOldValue($i));
 	}
 
 	/** DRAW DISPLAYED CURRENT VALUES **/

Original file line number	Diff line number	Diff line change
`@@ -556,7 +556,7 @@ protected function drawOldValuesAttribute($attribute) {`
`556`	`556`	`final protected function drawOldValueAttribute($attribute,$i) {`
`557`	`557`	`if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);`
`558`	`558`
`559`		`- echo $attribute->getOldValue($i);`
	`559`	`+ echo htmlspecialchars($attribute->getOldValue($i));`
`560`	`560`	`}`
`561`	`561`
`562`	`562`	`/ DRAW DISPLAYED CURRENT VALUES /`