Escape meta attributes to avoid XSS injection

2025-01-29 11:31:19 +01:00 · 2024-06-07 11:30:16 +02:00 · 2024-06-07 11:30:16 +02:00 · f5312015a5
commit f5312015a5
parent 257150aee2
1 changed files with 3 additions and 3 deletions
--- a/site/templates/partials/meta.php
+++ b/site/templates/partials/meta.php
@ -1,9 +1,9 @@
 <?php foreach ($page->metadata() as $meta) : ?>
    <?php if ($meta->isCharset()) : ?>
-        <meta charset="<?= $meta->content() ?>">
+        <meta charset="<?= $this->escapeAttr($meta->content()) ?>">
    <?php elseif ($meta->isHTTPEquiv()) : ?>
-        <meta http-equiv="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+        <meta http-equiv="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
    <?php else : ?>
-        <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+        <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
    <?php endif ?>
 <?php endforeach ?>